# Flog Txt Version 1 # Analyzer Version: 2.3.2 # Analyzer Build Date: Jan 8 2019 16:19:15 # Log Creation Date: 10.02.2019 19:09:39.266 Process: id = "1" image_name = "tcpsov.exe" filename = "c:\\users\\ciihmnxmn6ps\\desktop\\tcpsov.exe" page_root = "0x2a9c4000" os_pid = "0xe88" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\CIiHmnxMn6Ps\\Desktop\\tcpsov.exe\" " cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00013da5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3 start_va = 0x40000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4 start_va = 0x60000 end_va = 0x9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 5 start_va = 0xa0000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6 start_va = 0x1a0000 end_va = 0x1a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 7 start_va = 0x1b0000 end_va = 0x1b1fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 8 start_va = 0x400000 end_va = 0x43cfff entry_point = 0x400000 region_type = mapped_file name = "tcpsov.exe" filename = "\\Users\\CIiHmnxMn6Ps\\Desktop\\tcpsov.exe" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\tcpsov.exe") Region: id = 9 start_va = 0x776b0000 end_va = 0x77828fff entry_point = 0x776b0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 10 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 11 start_va = 0x7ffdb000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 12 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 13 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 14 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 15 start_va = 0x7fff0000 end_va = 0x7ffc57b4ffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 16 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 17 start_va = 0x7ffc57d12000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffc57d12000" filename = "" Region: id = 157 start_va = 0x370000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 158 start_va = 0x5bab0000 end_va = 0x5bb22fff entry_point = 0x5bab0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 159 start_va = 0x5bb30000 end_va = 0x5bb7efff entry_point = 0x5bb30000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 160 start_va = 0x5baa0000 end_va = 0x5baa7fff entry_point = 0x5baa0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 161 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 162 start_va = 0x74f40000 end_va = 0x7502ffff entry_point = 0x74f40000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 163 start_va = 0x75190000 end_va = 0x75305fff entry_point = 0x75190000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 164 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 165 start_va = 0x440000 end_va = 0x4fdfff entry_point = 0x440000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 166 start_va = 0x746b0000 end_va = 0x74740fff entry_point = 0x746b0000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll") Region: id = 167 start_va = 0x7feb0000 end_va = 0x7ffaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 168 start_va = 0x20000 end_va = 0x23fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 169 start_va = 0x1c0000 end_va = 0x1fffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 170 start_va = 0x500000 end_va = 0x5fffff entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 171 start_va = 0x74570000 end_va = 0x74601fff entry_point = 0x74570000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10240.16384_none_49c02355cf03478c\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10240.16384_none_49c02355cf03478c\\comctl32.dll") Region: id = 172 start_va = 0x74750000 end_va = 0x747a8fff entry_point = 0x74750000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 173 start_va = 0x747b0000 end_va = 0x747b9fff entry_point = 0x747b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 174 start_va = 0x747c0000 end_va = 0x747ddfff entry_point = 0x747c0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 175 start_va = 0x74a00000 end_va = 0x74aabfff entry_point = 0x74a00000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 176 start_va = 0x75030000 end_va = 0x7517cfff entry_point = 0x75030000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 177 start_va = 0x76c70000 end_va = 0x76daffff entry_point = 0x76c70000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 178 start_va = 0x76f20000 end_va = 0x76fddfff entry_point = 0x76f20000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 179 start_va = 0x772b0000 end_va = 0x772f2fff entry_point = 0x772b0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 180 start_va = 0x77550000 end_va = 0x775cafff entry_point = 0x77550000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 181 start_va = 0x7ffd8000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 182 start_va = 0x6e0000 end_va = 0x6effff entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 183 start_va = 0x6f0000 end_va = 0x877fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006f0000" filename = "" Region: id = 184 start_va = 0x74df0000 end_va = 0x74f0ffff entry_point = 0x74df0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 185 start_va = 0x74f10000 end_va = 0x74f3afff entry_point = 0x74f10000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 186 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 187 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 188 start_va = 0x880000 end_va = 0xa00fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 189 start_va = 0xa10000 end_va = 0x1e0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a10000" filename = "" Region: id = 190 start_va = 0x1f70000 end_va = 0x1f7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f70000" filename = "" Region: id = 191 start_va = 0x600000 end_va = 0x69ffff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 192 start_va = 0x310000 end_va = 0x310fff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 193 start_va = 0x320000 end_va = 0x334fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 194 start_va = 0x340000 end_va = 0x359fff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 195 start_va = 0x75310000 end_va = 0x766cefff entry_point = 0x75310000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 196 start_va = 0x76790000 end_va = 0x76c6cfff entry_point = 0x76790000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 197 start_va = 0x77390000 end_va = 0x77549fff entry_point = 0x77390000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 198 start_va = 0x74da0000 end_va = 0x74de3fff entry_point = 0x74da0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 199 start_va = 0x74ab0000 end_va = 0x74abbfff entry_point = 0x74ab0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 200 start_va = 0x77300000 end_va = 0x7738cfff entry_point = 0x77300000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 201 start_va = 0x77260000 end_va = 0x772a3fff entry_point = 0x77260000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 202 start_va = 0x75180000 end_va = 0x7518efff entry_point = 0x75180000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 203 start_va = 0x74880000 end_va = 0x749f4fff entry_point = 0x74880000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 204 start_va = 0x77070000 end_va = 0x7707dfff entry_point = 0x77070000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 205 start_va = 0x74550000 end_va = 0x74566fff entry_point = 0x74550000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 206 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 207 start_va = 0x1e10000 end_va = 0x1f0ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e10000" filename = "" Region: id = 208 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 209 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 210 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 211 start_va = 0x1f80000 end_va = 0x22b6fff entry_point = 0x1f80000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 212 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 213 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 214 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 215 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 216 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 217 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 218 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 219 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 220 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 221 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 222 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 223 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 224 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 225 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 226 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 227 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 228 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 229 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 230 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 231 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 232 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 233 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 234 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 235 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 236 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 237 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 238 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 239 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 240 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 241 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 242 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 243 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 244 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 245 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 246 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 247 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 248 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 249 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 250 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 251 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 252 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 253 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 254 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 255 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 256 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 257 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 258 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 259 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 260 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 261 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 262 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 263 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 264 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 265 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 266 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 267 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 268 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 269 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 270 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 271 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 272 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 273 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 274 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 275 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 276 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 277 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 278 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 279 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 280 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 281 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 282 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 283 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 284 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 285 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 286 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 287 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 288 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 289 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 290 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 291 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 292 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 293 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 294 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 295 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 296 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 297 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 298 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 299 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 300 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 301 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 302 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 303 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 304 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 305 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 306 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 307 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 308 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 309 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 310 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 311 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 312 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 313 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 314 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 315 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 316 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 317 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 318 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 319 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 320 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 321 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 322 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 323 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 324 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 325 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 326 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 327 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 328 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 329 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 330 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 331 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 332 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 333 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 334 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 335 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 336 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 337 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 338 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 339 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 340 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 341 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 342 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 343 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 344 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 345 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 346 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 347 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 348 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 349 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 350 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 351 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 352 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 353 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 354 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 355 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 356 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 357 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 358 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 359 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 360 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 361 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 362 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 363 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 364 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 365 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 366 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 367 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 368 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 369 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 370 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 371 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 372 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 373 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 374 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 375 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 376 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 377 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 378 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 379 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 380 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 381 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 382 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 383 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 384 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 385 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 386 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 387 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 388 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 389 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 390 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 391 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 392 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 393 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 394 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 395 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 396 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 397 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 398 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 399 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 400 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 401 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 402 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 403 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 404 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 405 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 406 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 407 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 408 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 409 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 410 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 411 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 412 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 413 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 414 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 415 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 416 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 417 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 418 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 419 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 420 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 421 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 422 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 423 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 424 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 425 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 426 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 427 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 428 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 429 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 430 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 431 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 432 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 433 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 434 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 435 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 436 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 437 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 438 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 439 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 440 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 441 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 442 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 443 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 444 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 445 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 446 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 447 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 448 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 449 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 450 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 451 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 452 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 453 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 454 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 455 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 456 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 457 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 458 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 459 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 460 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 461 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 462 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 463 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 464 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 465 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 466 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 467 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 468 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 469 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 470 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 471 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 472 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 473 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 474 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 475 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 476 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 477 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 478 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 479 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 480 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 481 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 482 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 483 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 484 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 485 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 486 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 487 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 488 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 489 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 490 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 491 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 492 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 493 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 494 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 495 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 496 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 497 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 498 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 499 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 500 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 501 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 502 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 503 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 504 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 505 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 506 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 507 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 508 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 509 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 510 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 511 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 512 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 513 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 514 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 515 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 516 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 517 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 518 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 519 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 520 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 521 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 522 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 523 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 524 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 525 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 526 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 527 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 528 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 529 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 530 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 531 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 532 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 533 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 534 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 535 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 536 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 537 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 538 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 539 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 540 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 541 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 542 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 543 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 544 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 545 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 546 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 547 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 548 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 549 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 550 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 551 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 552 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 553 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 554 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 555 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 556 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 557 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 558 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 559 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 560 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 561 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 562 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 563 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 564 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 565 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 566 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 567 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 568 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 569 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 570 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 571 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 572 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 573 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 574 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 575 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 576 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 577 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 578 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 579 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 580 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 581 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 582 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 583 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 584 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 585 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 586 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 587 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 588 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 589 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 590 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 591 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 592 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 593 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 594 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 595 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 596 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 597 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 598 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 599 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 600 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 601 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 602 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 603 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 604 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 605 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 606 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 607 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 608 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 609 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 610 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 611 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 612 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 613 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 614 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 615 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 616 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 617 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 618 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 619 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 620 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 621 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 622 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 623 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 624 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 625 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 626 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 627 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 628 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 629 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 630 start_va = 0x320000 end_va = 0x335fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 631 start_va = 0x360000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 632 start_va = 0x320000 end_va = 0x327fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 633 start_va = 0x320000 end_va = 0x320fff entry_point = 0x320000 region_type = mapped_file name = "mpr.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\mpr.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\mpr.dll.mui") Region: id = 634 start_va = 0x380000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 635 start_va = 0x22c0000 end_va = 0x23bffff entry_point = 0x0 region_type = private name = "private_0x00000000022c0000" filename = "" Region: id = 636 start_va = 0x7ffd5000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 637 start_va = 0x74540000 end_va = 0x74548fff entry_point = 0x74540000 region_type = mapped_file name = "drprov.dll" filename = "\\Windows\\SysWOW64\\drprov.dll" (normalized: "c:\\windows\\syswow64\\drprov.dll") Region: id = 638 start_va = 0x744f0000 end_va = 0x74533fff entry_point = 0x744f0000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 639 start_va = 0x744d0000 end_va = 0x744e1fff entry_point = 0x744d0000 region_type = mapped_file name = "ntlanman.dll" filename = "\\Windows\\SysWOW64\\ntlanman.dll" (normalized: "c:\\windows\\syswow64\\ntlanman.dll") Region: id = 640 start_va = 0x3c0000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 641 start_va = 0x23c0000 end_va = 0x24bffff entry_point = 0x0 region_type = private name = "private_0x00000000023c0000" filename = "" Region: id = 642 start_va = 0x744b0000 end_va = 0x744c9fff entry_point = 0x744b0000 region_type = mapped_file name = "davclnt.dll" filename = "\\Windows\\SysWOW64\\davclnt.dll" (normalized: "c:\\windows\\syswow64\\davclnt.dll") Region: id = 643 start_va = 0x7fead000 end_va = 0x7feaffff entry_point = 0x0 region_type = private name = "private_0x000000007fead000" filename = "" Region: id = 644 start_va = 0x744a0000 end_va = 0x744aafff entry_point = 0x744a0000 region_type = mapped_file name = "davhlpr.dll" filename = "\\Windows\\SysWOW64\\davhlpr.dll" (normalized: "c:\\windows\\syswow64\\davhlpr.dll") Region: id = 645 start_va = 0x74490000 end_va = 0x7449ffff entry_point = 0x74490000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 646 start_va = 0x74470000 end_va = 0x7448afff entry_point = 0x74470000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 647 start_va = 0x74460000 end_va = 0x7446efff entry_point = 0x74460000 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\SysWOW64\\cscapi.dll" (normalized: "c:\\windows\\syswow64\\cscapi.dll") Region: id = 648 start_va = 0x74450000 end_va = 0x74459fff entry_point = 0x74450000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 649 start_va = 0x74440000 end_va = 0x7444efff entry_point = 0x74440000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\SysWOW64\\browcli.dll" (normalized: "c:\\windows\\syswow64\\browcli.dll") Region: id = 650 start_va = 0x23c0000 end_va = 0x249efff entry_point = 0x23c0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 651 start_va = 0x330000 end_va = 0x330fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 652 start_va = 0x3c0000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 653 start_va = 0x24a0000 end_va = 0x259ffff entry_point = 0x0 region_type = private name = "private_0x00000000024a0000" filename = "" Region: id = 654 start_va = 0x7fead000 end_va = 0x7feaffff entry_point = 0x0 region_type = private name = "private_0x000000007fead000" filename = "" Region: id = 655 start_va = 0x360000 end_va = 0x360fff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 656 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 657 start_va = 0x690000 end_va = 0x69ffff entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 658 start_va = 0x74420000 end_va = 0x74432fff entry_point = 0x74420000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 659 start_va = 0x743f0000 end_va = 0x7441efff entry_point = 0x743f0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 660 start_va = 0x743d0000 end_va = 0x743e8fff entry_point = 0x743d0000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 661 start_va = 0x610000 end_va = 0x619fff entry_point = 0x610000 region_type = mapped_file name = "crypt32.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\crypt32.dll.mui") Region: id = 662 start_va = 0x743c0000 end_va = 0x743c7fff entry_point = 0x743c0000 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\SysWOW64\\dpapi.dll" (normalized: "c:\\windows\\syswow64\\dpapi.dll") Region: id = 663 start_va = 0x360000 end_va = 0x363fff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 664 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 665 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 666 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 667 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 668 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 669 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 670 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 671 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 672 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 673 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 674 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 675 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 676 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 677 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 678 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 679 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 680 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 681 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 682 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 683 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 684 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 685 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 686 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 687 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 688 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 689 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 690 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 691 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 692 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 693 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 694 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 695 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 696 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 697 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 698 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 699 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 700 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 701 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 702 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 703 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 704 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 705 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 706 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 707 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 708 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 709 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 710 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 711 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 712 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 713 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 714 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 715 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 716 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 717 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 718 start_va = 0x3c0000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 719 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 720 start_va = 0x24a0000 end_va = 0x259ffff entry_point = 0x0 region_type = private name = "private_0x00000000024a0000" filename = "" Region: id = 721 start_va = 0x7fead000 end_va = 0x7feaffff entry_point = 0x0 region_type = private name = "private_0x000000007fead000" filename = "" Region: id = 722 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 723 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 724 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 725 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 726 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 727 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 728 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 729 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 730 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 731 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 732 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 733 start_va = 0x3c0000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 734 start_va = 0x24a0000 end_va = 0x259ffff entry_point = 0x0 region_type = private name = "private_0x00000000024a0000" filename = "" Region: id = 735 start_va = 0x7fead000 end_va = 0x7feaffff entry_point = 0x0 region_type = private name = "private_0x000000007fead000" filename = "" Region: id = 736 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 737 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 738 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 739 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 740 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 741 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 742 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 743 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 744 start_va = 0x380000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 745 start_va = 0x22c0000 end_va = 0x23bffff entry_point = 0x0 region_type = private name = "private_0x00000000022c0000" filename = "" Region: id = 746 start_va = 0x7ffd5000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 747 start_va = 0x3c0000 end_va = 0x3c0fff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 748 start_va = 0x3d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 749 start_va = 0x3c0000 end_va = 0x3c0fff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 750 start_va = 0x3d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 751 start_va = 0x380000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 752 start_va = 0x22c0000 end_va = 0x23bffff entry_point = 0x0 region_type = private name = "private_0x00000000022c0000" filename = "" Region: id = 753 start_va = 0x7ffd5000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 754 start_va = 0x3c0000 end_va = 0x3c0fff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 755 start_va = 0x3d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 756 start_va = 0x380000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 757 start_va = 0x3c0000 end_va = 0x3c0fff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 758 start_va = 0x22c0000 end_va = 0x23bffff entry_point = 0x0 region_type = private name = "private_0x00000000022c0000" filename = "" Region: id = 759 start_va = 0x7ffd5000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 760 start_va = 0x3d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 761 start_va = 0x3c0000 end_va = 0x3c0fff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 762 start_va = 0x3d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 763 start_va = 0x3c0000 end_va = 0x3c0fff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 764 start_va = 0x3d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 765 start_va = 0x380000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 766 start_va = 0x22c0000 end_va = 0x23bffff entry_point = 0x0 region_type = private name = "private_0x00000000022c0000" filename = "" Region: id = 767 start_va = 0x7ffd5000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 768 start_va = 0x3c0000 end_va = 0x3c0fff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 769 start_va = 0x3d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 770 start_va = 0x3c0000 end_va = 0x3c0fff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 771 start_va = 0x3d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 772 start_va = 0x3c0000 end_va = 0x3c0fff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 773 start_va = 0x3d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Thread: id = 1 os_tid = 0xe8c [0045.882] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0045.883] GetStartupInfoA (in: lpStartupInfo=0x19fe80 | out: lpStartupInfo=0x19fe80*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\tcpsov.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0045.883] GetVersionExA (in: lpVersionInformation=0x19fed0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x19fed0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x2, dwBuildNumber=0x23f0, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0045.883] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f40000 [0045.883] GetProcAddress (hModule=0x74f40000, lpProcName="FlsAlloc") returned 0x74f5a330 [0045.883] GetProcAddress (hModule=0x74f40000, lpProcName="FlsGetValue") returned 0x74f57580 [0045.883] GetProcAddress (hModule=0x74f40000, lpProcName="FlsSetValue") returned 0x74f59910 [0045.884] GetProcAddress (hModule=0x74f40000, lpProcName="FlsFree") returned 0x74f5f400 [0045.884] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75190000 [0045.884] GetProcAddress (hModule=0x75190000, lpProcName="EncodePointer") returned 0x7770f190 [0045.884] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75190000 [0045.884] GetProcAddress (hModule=0x75190000, lpProcName="EncodePointer") returned 0x7770f190 [0045.884] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75190000 [0045.884] GetProcAddress (hModule=0x75190000, lpProcName="EncodePointer") returned 0x7770f190 [0045.884] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75190000 [0045.884] GetProcAddress (hModule=0x75190000, lpProcName="EncodePointer") returned 0x7770f190 [0045.885] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75190000 [0045.885] GetProcAddress (hModule=0x75190000, lpProcName="EncodePointer") returned 0x7770f190 [0045.885] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75190000 [0045.885] GetProcAddress (hModule=0x75190000, lpProcName="EncodePointer") returned 0x7770f190 [0045.885] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75190000 [0045.885] GetProcAddress (hModule=0x75190000, lpProcName="EncodePointer") returned 0x7770f190 [0045.885] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75190000 [0045.885] GetProcAddress (hModule=0x75190000, lpProcName="DecodePointer") returned 0x7770a200 [0045.885] GetModuleHandleW (lpModuleName="kernelbase.dll") returned 0x75190000 [0045.885] GetProcAddress (hModule=0x75190000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x75242e70 [0045.885] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75190000 [0045.885] GetProcAddress (hModule=0x75190000, lpProcName="EncodePointer") returned 0x7770f190 [0045.886] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75190000 [0045.886] GetProcAddress (hModule=0x75190000, lpProcName="DecodePointer") returned 0x7770a200 [0045.886] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75190000 [0045.886] GetProcAddress (hModule=0x75190000, lpProcName="DecodePointer") returned 0x7770a200 [0045.886] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75190000 [0045.886] GetProcAddress (hModule=0x75190000, lpProcName="DecodePointer") returned 0x7770a200 [0045.886] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75190000 [0045.886] GetProcAddress (hModule=0x75190000, lpProcName="DecodePointer") returned 0x7770a200 [0045.886] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75190000 [0045.886] GetProcAddress (hModule=0x75190000, lpProcName="DecodePointer") returned 0x7770a200 [0045.886] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75190000 [0045.887] GetProcAddress (hModule=0x75190000, lpProcName="DecodePointer") returned 0x7770a200 [0045.887] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75190000 [0045.887] GetProcAddress (hModule=0x75190000, lpProcName="DecodePointer") returned 0x7770a200 [0045.887] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75190000 [0045.887] GetProcAddress (hModule=0x75190000, lpProcName="DecodePointer") returned 0x7770a200 [0045.887] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75190000 [0045.887] GetProcAddress (hModule=0x75190000, lpProcName="DecodePointer") returned 0x7770a200 [0045.887] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75190000 [0045.887] GetProcAddress (hModule=0x75190000, lpProcName="DecodePointer") returned 0x7770a200 [0045.887] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75190000 [0045.887] GetProcAddress (hModule=0x75190000, lpProcName="DecodePointer") returned 0x7770a200 [0045.888] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75190000 [0045.888] GetProcAddress (hModule=0x75190000, lpProcName="DecodePointer") returned 0x7770a200 [0045.888] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75190000 [0045.888] GetProcAddress (hModule=0x75190000, lpProcName="DecodePointer") returned 0x7770a200 [0045.888] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75190000 [0045.888] GetProcAddress (hModule=0x75190000, lpProcName="DecodePointer") returned 0x7770a200 [0045.888] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75190000 [0045.888] GetProcAddress (hModule=0x75190000, lpProcName="DecodePointer") returned 0x7770a200 [0045.888] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75190000 [0045.888] GetProcAddress (hModule=0x75190000, lpProcName="EncodePointer") returned 0x7770f190 [0045.889] GetProcAddress (hModule=0x75190000, lpProcName="DecodePointer") returned 0x7770a200 [0045.889] GetStartupInfoA (in: lpStartupInfo=0x19fe04 | out: lpStartupInfo=0x19fe04*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\tcpsov.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0045.889] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0045.889] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0045.889] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0045.889] SetHandleCount (uNumber=0x20) returned 0x20 [0045.889] GetCommandLineA () returned="\"C:\\Users\\CIiHmnxMn6Ps\\Desktop\\tcpsov.exe\" " [0045.889] GetEnvironmentStringsW () returned 0x223010* [0045.889] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1331, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1331 [0045.889] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1331, lpMultiByteStr=0x690c50, cbMultiByte=1331, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1331 [0045.889] FreeEnvironmentStringsW (penv=0x223010) returned 1 [0045.889] GetLastError () returned 0x0 [0045.889] SetLastError (dwErrCode=0x0) [0045.889] GetLastError () returned 0x0 [0045.889] SetLastError (dwErrCode=0x0) [0045.889] GetLastError () returned 0x0 [0045.889] SetLastError (dwErrCode=0x0) [0045.889] GetACP () returned 0x4e4 [0045.889] GetLastError () returned 0x0 [0045.889] SetLastError (dwErrCode=0x0) [0045.889] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x19fddc | out: lpCPInfo=0x19fddc) returned 1 [0045.889] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x19f8a8 | out: lpCPInfo=0x19f8a8) returned 1 [0045.890] GetLastError () returned 0x0 [0045.890] SetLastError (dwErrCode=0x0) [0045.890] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr="", cchSrc=1, lpCharType=0x19f838 | out: lpCharType=0x19f838) returned 1 [0045.890] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fcbc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0045.890] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fcbc, cbMultiByte=256, lpWideCharStr=0x19f628, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿBĀ") returned 256 [0045.890] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿBĀ", cchSrc=256, lpCharType=0x19f8bc | out: lpCharType=0x19f8bc) returned 1 [0045.890] GetLastError () returned 0x0 [0045.890] SetLastError (dwErrCode=0x0) [0045.890] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr="", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0045.890] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fcbc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0045.890] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fcbc, cbMultiByte=256, lpWideCharStr=0x19f5c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0045.890] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0045.890] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x19f3b8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ") returned 256 [0045.890] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ", cchWideChar=256, lpMultiByteStr=0x19fbbc, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\xcf\xee\x0e\xe6\xf4\xfd\x19", lpUsedDefaultChar=0x0) returned 256 [0045.890] GetLastError () returned 0x0 [0045.890] SetLastError (dwErrCode=0x0) [0045.890] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fcbc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0045.890] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fcbc, cbMultiByte=256, lpWideCharStr=0x19f5e8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0045.890] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0045.891] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x19f3d8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ") returned 256 [0045.891] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ", cchWideChar=256, lpMultiByteStr=0x19fabc, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x9f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\xcf\xee\x0e\xe6\xf4\xfd\x19", lpUsedDefaultChar=0x0) returned 256 [0045.891] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x43b650, nSize=0x104 | out: lpFilename="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\tcpsov.exe" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\tcpsov.exe")) returned 0x28 [0045.891] GetLastError () returned 0x0 [0045.891] SetLastError (dwErrCode=0x0) [0045.891] GetLastError () returned 0x0 [0045.891] SetLastError (dwErrCode=0x0) [0045.891] GetLastError () returned 0x0 [0045.891] SetLastError (dwErrCode=0x0) [0045.891] GetLastError () returned 0x0 [0045.891] SetLastError (dwErrCode=0x0) [0045.891] GetLastError () returned 0x0 [0045.891] SetLastError (dwErrCode=0x0) [0045.891] GetLastError () returned 0x0 [0045.891] SetLastError (dwErrCode=0x0) [0045.891] GetLastError () returned 0x0 [0045.891] SetLastError (dwErrCode=0x0) [0045.891] GetLastError () returned 0x0 [0045.891] SetLastError (dwErrCode=0x0) [0045.891] GetLastError () returned 0x0 [0045.891] SetLastError (dwErrCode=0x0) [0045.891] GetLastError () returned 0x0 [0045.891] SetLastError (dwErrCode=0x0) [0045.891] GetLastError () returned 0x0 [0045.891] SetLastError (dwErrCode=0x0) [0045.891] GetLastError () returned 0x0 [0045.891] SetLastError (dwErrCode=0x0) [0045.891] GetLastError () returned 0x0 [0045.892] SetLastError (dwErrCode=0x0) [0045.892] GetLastError () returned 0x0 [0045.892] SetLastError (dwErrCode=0x0) [0045.892] GetLastError () returned 0x0 [0045.892] SetLastError (dwErrCode=0x0) [0045.892] GetLastError () returned 0x0 [0045.892] SetLastError (dwErrCode=0x0) [0045.892] GetLastError () returned 0x0 [0045.892] SetLastError (dwErrCode=0x0) [0045.892] GetLastError () returned 0x0 [0045.892] SetLastError (dwErrCode=0x0) [0045.892] GetLastError () returned 0x0 [0045.892] SetLastError (dwErrCode=0x0) [0045.892] GetLastError () returned 0x0 [0045.892] SetLastError (dwErrCode=0x0) [0045.892] GetLastError () returned 0x0 [0045.892] SetLastError (dwErrCode=0x0) [0045.892] GetLastError () returned 0x0 [0045.892] SetLastError (dwErrCode=0x0) [0045.892] GetLastError () returned 0x0 [0045.892] SetLastError (dwErrCode=0x0) [0045.892] GetLastError () returned 0x0 [0045.892] SetLastError (dwErrCode=0x0) [0045.892] GetLastError () returned 0x0 [0045.892] SetLastError (dwErrCode=0x0) [0045.892] GetLastError () returned 0x0 [0045.892] SetLastError (dwErrCode=0x0) [0045.892] GetLastError () returned 0x0 [0045.892] SetLastError (dwErrCode=0x0) [0045.893] GetLastError () returned 0x0 [0045.893] SetLastError (dwErrCode=0x0) [0045.893] GetLastError () returned 0x0 [0045.893] SetLastError (dwErrCode=0x0) [0045.893] GetLastError () returned 0x0 [0045.893] SetLastError (dwErrCode=0x0) [0045.893] GetLastError () returned 0x0 [0045.893] SetLastError (dwErrCode=0x0) [0045.893] GetLastError () returned 0x0 [0045.893] SetLastError (dwErrCode=0x0) [0045.893] GetLastError () returned 0x0 [0045.893] SetLastError (dwErrCode=0x0) [0045.893] GetLastError () returned 0x0 [0045.893] SetLastError (dwErrCode=0x0) [0045.893] GetLastError () returned 0x0 [0045.893] SetLastError (dwErrCode=0x0) [0045.893] GetLastError () returned 0x0 [0045.893] SetLastError (dwErrCode=0x0) [0045.893] GetLastError () returned 0x0 [0045.893] SetLastError (dwErrCode=0x0) [0045.893] GetLastError () returned 0x0 [0045.893] SetLastError (dwErrCode=0x0) [0045.893] GetLastError () returned 0x0 [0045.894] SetLastError (dwErrCode=0x0) [0045.894] GetLastError () returned 0x0 [0045.894] SetLastError (dwErrCode=0x0) [0045.894] GetLastError () returned 0x0 [0045.894] SetLastError (dwErrCode=0x0) [0045.894] GetLastError () returned 0x0 [0045.894] SetLastError (dwErrCode=0x0) [0045.894] GetLastError () returned 0x0 [0045.894] SetLastError (dwErrCode=0x0) [0045.894] GetLastError () returned 0x0 [0045.894] SetLastError (dwErrCode=0x0) [0045.894] GetLastError () returned 0x0 [0045.894] SetLastError (dwErrCode=0x0) [0045.894] GetLastError () returned 0x0 [0045.894] SetLastError (dwErrCode=0x0) [0045.894] GetLastError () returned 0x0 [0045.894] SetLastError (dwErrCode=0x0) [0045.894] GetLastError () returned 0x0 [0045.894] SetLastError (dwErrCode=0x0) [0045.894] GetLastError () returned 0x0 [0045.894] SetLastError (dwErrCode=0x0) [0045.894] GetLastError () returned 0x0 [0045.894] SetLastError (dwErrCode=0x0) [0045.894] GetLastError () returned 0x0 [0045.894] SetLastError (dwErrCode=0x0) [0045.894] GetLastError () returned 0x0 [0045.895] SetLastError (dwErrCode=0x0) [0045.895] GetLastError () returned 0x0 [0045.895] SetLastError (dwErrCode=0x0) [0045.895] GetLastError () returned 0x0 [0045.895] SetLastError (dwErrCode=0x0) [0045.895] GetLastError () returned 0x0 [0045.895] SetLastError (dwErrCode=0x0) [0045.895] GetLastError () returned 0x0 [0045.895] SetLastError (dwErrCode=0x0) [0045.895] GetLastError () returned 0x0 [0045.895] SetLastError (dwErrCode=0x0) [0045.895] GetLastError () returned 0x0 [0045.895] SetLastError (dwErrCode=0x0) [0045.895] GetLastError () returned 0x0 [0045.895] SetLastError (dwErrCode=0x0) [0045.895] GetLastError () returned 0x0 [0045.895] SetLastError (dwErrCode=0x0) [0045.895] GetLastError () returned 0x0 [0045.895] SetLastError (dwErrCode=0x0) [0045.895] GetLastError () returned 0x0 [0045.895] SetLastError (dwErrCode=0x0) [0045.895] GetLastError () returned 0x0 [0045.895] SetLastError (dwErrCode=0x0) [0045.895] GetLastError () returned 0x0 [0045.895] SetLastError (dwErrCode=0x0) [0045.895] GetLastError () returned 0x0 [0045.895] SetLastError (dwErrCode=0x0) [0045.895] GetLastError () returned 0x0 [0045.895] SetLastError (dwErrCode=0x0) [0045.895] GetLastError () returned 0x0 [0045.896] SetLastError (dwErrCode=0x0) [0045.896] GetLastError () returned 0x0 [0045.896] SetLastError (dwErrCode=0x0) [0045.896] GetLastError () returned 0x0 [0045.896] SetLastError (dwErrCode=0x0) [0045.896] GetLastError () returned 0x0 [0045.896] SetLastError (dwErrCode=0x0) [0045.896] GetLastError () returned 0x0 [0045.896] SetLastError (dwErrCode=0x0) [0045.896] GetLastError () returned 0x0 [0045.896] SetLastError (dwErrCode=0x0) [0045.896] GetLastError () returned 0x0 [0045.896] SetLastError (dwErrCode=0x0) [0045.896] GetLastError () returned 0x0 [0045.896] SetLastError (dwErrCode=0x0) [0045.896] GetLastError () returned 0x0 [0045.896] SetLastError (dwErrCode=0x0) [0045.896] GetLastError () returned 0x0 [0045.896] SetLastError (dwErrCode=0x0) [0045.896] GetLastError () returned 0x0 [0045.896] SetLastError (dwErrCode=0x0) [0045.896] GetLastError () returned 0x0 [0045.896] SetLastError (dwErrCode=0x0) [0045.896] GetLastError () returned 0x0 [0045.896] SetLastError (dwErrCode=0x0) [0045.896] GetLastError () returned 0x0 [0045.896] SetLastError (dwErrCode=0x0) [0045.896] GetLastError () returned 0x0 [0045.896] SetLastError (dwErrCode=0x0) [0045.897] GetLastError () returned 0x0 [0045.897] SetLastError (dwErrCode=0x0) [0045.898] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x425663) returned 0x0 [0045.898] GetLastError () returned 0x0 [0045.898] SetLastError (dwErrCode=0x0) [0045.898] GetLastError () returned 0x0 [0045.898] SetLastError (dwErrCode=0x0) [0045.898] GetLastError () returned 0x0 [0045.898] SetLastError (dwErrCode=0x0) [0045.898] GetLastError () returned 0x0 [0045.898] SetLastError (dwErrCode=0x0) [0045.898] GetLastError () returned 0x0 [0045.898] SetLastError (dwErrCode=0x0) [0045.898] GetLastError () returned 0x0 [0045.898] SetLastError (dwErrCode=0x0) [0045.898] GetLastError () returned 0x0 [0045.898] SetLastError (dwErrCode=0x0) [0045.898] GetLastError () returned 0x0 [0045.898] SetLastError (dwErrCode=0x0) [0045.898] GetLastError () returned 0x0 [0045.899] SetLastError (dwErrCode=0x0) [0045.899] GetLastError () returned 0x0 [0045.899] SetLastError (dwErrCode=0x0) [0045.899] GetLastError () returned 0x0 [0045.899] SetLastError (dwErrCode=0x0) [0045.899] GetLastError () returned 0x0 [0045.899] SetLastError (dwErrCode=0x0) [0045.899] GetLastError () returned 0x0 [0045.899] SetLastError (dwErrCode=0x0) [0045.899] GetLastError () returned 0x0 [0045.899] SetLastError (dwErrCode=0x0) [0045.899] GetLastError () returned 0x0 [0045.899] SetLastError (dwErrCode=0x0) [0045.899] GetLastError () returned 0x0 [0045.899] SetLastError (dwErrCode=0x0) [0045.899] GetLastError () returned 0x0 [0045.899] SetLastError (dwErrCode=0x0) [0045.899] GetLastError () returned 0x0 [0045.899] SetLastError (dwErrCode=0x0) [0045.899] GetLastError () returned 0x0 [0045.899] SetLastError (dwErrCode=0x0) [0045.899] GetLastError () returned 0x0 [0045.899] SetLastError (dwErrCode=0x0) [0045.899] GetLastError () returned 0x0 [0045.899] SetLastError (dwErrCode=0x0) [0045.899] GetLastError () returned 0x0 [0045.899] SetLastError (dwErrCode=0x0) [0045.899] GetLastError () returned 0x0 [0045.900] SetLastError (dwErrCode=0x0) [0045.900] GetLastError () returned 0x0 [0045.900] SetLastError (dwErrCode=0x0) [0045.900] GetLastError () returned 0x0 [0045.900] SetLastError (dwErrCode=0x0) [0045.900] GetLastError () returned 0x0 [0045.900] SetLastError (dwErrCode=0x0) [0045.900] GetLastError () returned 0x0 [0045.900] SetLastError (dwErrCode=0x0) [0045.900] GetLastError () returned 0x0 [0045.900] SetLastError (dwErrCode=0x0) [0045.900] GetLastError () returned 0x0 [0045.900] SetLastError (dwErrCode=0x0) [0045.900] GetLastError () returned 0x0 [0045.900] SetLastError (dwErrCode=0x0) [0045.900] GetLastError () returned 0x0 [0045.900] SetLastError (dwErrCode=0x0) [0045.900] GetLastError () returned 0x0 [0045.900] SetLastError (dwErrCode=0x0) [0045.900] GetLastError () returned 0x0 [0045.900] SetLastError (dwErrCode=0x0) [0045.900] GetLastError () returned 0x0 [0045.900] SetLastError (dwErrCode=0x0) [0045.900] GetLastError () returned 0x0 [0045.900] SetLastError (dwErrCode=0x0) [0045.900] GetLastError () returned 0x0 [0045.900] SetLastError (dwErrCode=0x0) [0045.900] GetLastError () returned 0x0 [0045.900] SetLastError (dwErrCode=0x0) [0045.900] GetLastError () returned 0x0 [0045.900] SetLastError (dwErrCode=0x0) [0045.900] GetLastError () returned 0x0 [0045.900] SetLastError (dwErrCode=0x0) [0045.900] GetLastError () returned 0x0 [0045.900] SetLastError (dwErrCode=0x0) [0045.900] GetLastError () returned 0x0 [0045.901] SetLastError (dwErrCode=0x0) [0045.901] GetLastError () returned 0x0 [0045.901] SetLastError (dwErrCode=0x0) [0045.901] GetCommandLineA () returned="\"C:\\Users\\CIiHmnxMn6Ps\\Desktop\\tcpsov.exe\" " [0045.929] ImageList_Add (himl=0xffffffff, hbmImage=0x0, hbmMask=0x0) returned -1 [0045.929] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76c70000 [0045.929] GetProcAddress (hModule=0x76c70000, lpProcName="GetWindowContextHelpId") returned 0x76cc8df0 [0045.930] GetWindowContextHelpId (param_1=0x0) returned 0x0 [0045.930] GetLastError () returned 0x578 [0045.930] VirtualAlloc (lpAddress=0x0, dwSize=0xd20, flAllocationType=0x3000, flProtect=0x40) returned 0x310000 [0045.930] GetCommandLineA () returned="\"C:\\Users\\CIiHmnxMn6Ps\\Desktop\\tcpsov.exe\" " [0045.930] GetCommandLineA () returned="\"C:\\Users\\CIiHmnxMn6Ps\\Desktop\\tcpsov.exe\" " [0045.930] GetModuleHandleA (lpModuleName="kernel32") returned 0x74f40000 [0045.930] GetProcAddress (hModule=0x74f40000, lpProcName="VirtualAlloc") returned 0x74f58b70 [0045.930] GetProcAddress (hModule=0x74f40000, lpProcName="VirtualProtect") returned 0x74f58c50 [0045.931] GetProcAddress (hModule=0x74f40000, lpProcName="LoadLibraryA") returned 0x74f5d8d0 [0045.931] GetProcAddress (hModule=0x74f40000, lpProcName="VirtualFree") returned 0x74f58c70 [0045.931] GetProcAddress (hModule=0x74f40000, lpProcName="VirtualQuery") returned 0x74f58c90 [0045.931] VirtualQuery (in: lpAddress=0x4184a4, lpBuffer=0x19faf4, dwLength=0x1c | out: lpBuffer=0x19faf4*(BaseAddress=0x418000, AllocationBase=0x400000, AllocationProtect=0x80, RegionSize=0x21000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0045.931] VirtualAlloc (lpAddress=0x0, dwSize=0x14ff0, flAllocationType=0x3000, flProtect=0x4) returned 0x320000 [0045.931] VirtualAlloc (lpAddress=0x0, dwSize=0x19200, flAllocationType=0x3000, flProtect=0x4) returned 0x340000 [0045.938] VirtualFree (lpAddress=0x320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0045.938] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1e000, flNewProtect=0x40, lpflOldProtect=0x19faf0 | out: lpflOldProtect=0x19faf0*=0x2) returned 1 [0046.130] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x74f40000 [0046.130] GetProcAddress (hModule=0x74f40000, lpProcName="lstrcatW") returned 0x74f7d320 [0046.130] GetProcAddress (hModule=0x74f40000, lpProcName="GlobalAlloc") returned 0x74f59600 [0046.130] GetProcAddress (hModule=0x74f40000, lpProcName="DeleteFileW") returned 0x74f661b0 [0046.130] GetProcAddress (hModule=0x74f40000, lpProcName="lstrcpyA") returned 0x74f5e320 [0046.130] GetProcAddress (hModule=0x74f40000, lpProcName="GlobalFree") returned 0x74f63a70 [0046.130] GetProcAddress (hModule=0x74f40000, lpProcName="CloseHandle") returned 0x74f65f20 [0046.131] GetProcAddress (hModule=0x74f40000, lpProcName="CreateThread") returned 0x74f59700 [0046.131] GetProcAddress (hModule=0x74f40000, lpProcName="MoveFileExW") returned 0x74f5a820 [0046.131] GetProcAddress (hModule=0x74f40000, lpProcName="lstrcpyW") returned 0x74f7d410 [0046.131] GetProcAddress (hModule=0x74f40000, lpProcName="CreateFileMappingW") returned 0x74f591e0 [0046.131] GetProcAddress (hModule=0x74f40000, lpProcName="MapViewOfFile") returned 0x74f58c10 [0046.131] GetProcAddress (hModule=0x74f40000, lpProcName="lstrcmpW") returned 0x74f578d0 [0046.131] GetProcAddress (hModule=0x74f40000, lpProcName="BeginUpdateResourceA") returned 0x74f92aa0 [0046.131] GetProcAddress (hModule=0x74f40000, lpProcName="EraseTape") returned 0x74f8b350 [0046.131] GetProcAddress (hModule=0x74f40000, lpProcName="FindFirstVolumeW") returned 0x74fa3dc0 [0046.131] GetProcAddress (hModule=0x74f40000, lpProcName="GetProfileSectionW") returned 0x74f7a9e0 [0046.131] GetProcAddress (hModule=0x74f40000, lpProcName="GetCurrentProcess") returned 0x74f52da0 [0046.131] GetProcAddress (hModule=0x74f40000, lpProcName="lstrlenW") returned 0x74f52d80 [0046.132] GetProcAddress (hModule=0x74f40000, lpProcName="CancelDeviceWakeupRequest") returned 0x74f7ede0 [0046.132] GetProcAddress (hModule=0x74f40000, lpProcName="TerminateProcess") returned 0x74f5fbc0 [0046.132] GetProcAddress (hModule=0x74f40000, lpProcName="GlobalUnWire") returned 0x74f7d1c0 [0046.132] GetProcAddress (hModule=0x74f40000, lpProcName="GetConsoleTitleW") returned 0x74f669e0 [0046.132] GetProcAddress (hModule=0x74f40000, lpProcName="EnumResourceNamesW") returned 0x74f5fc40 [0046.132] GetProcAddress (hModule=0x74f40000, lpProcName="CreateMutexW") returned 0x74f65fe0 [0046.132] GetProcAddress (hModule=0x74f40000, lpProcName="OpenFile") returned 0x74f7c910 [0046.132] GetProcAddress (hModule=0x74f40000, lpProcName="EnumSystemCodePagesW") returned 0x74f80d40 [0046.132] GetProcAddress (hModule=0x74f40000, lpProcName="CancelThreadpoolIo") returned 0x776e6930 [0046.132] GetProcAddress (hModule=0x74f40000, lpProcName="GlobalDeleteAtom") returned 0x74f59430 [0046.132] GetProcAddress (hModule=0x74f40000, lpProcName="QueryMemoryResourceNotification") returned 0x74f81e40 [0046.132] GetProcAddress (hModule=0x74f40000, lpProcName="GetACP") returned 0x74f58770 [0046.133] GetProcAddress (hModule=0x74f40000, lpProcName="OpenProcess") returned 0x74f592b0 [0046.133] GetProcAddress (hModule=0x74f40000, lpProcName="FindFirstVolumeMountPointA") returned 0x74f88e90 [0046.133] GetProcAddress (hModule=0x74f40000, lpProcName="FindActCtxSectionStringA") returned 0x74f8ca00 [0046.133] GetProcAddress (hModule=0x74f40000, lpProcName="CreateToolhelp32Snapshot") returned 0x74f67510 [0046.133] GetProcAddress (hModule=0x74f40000, lpProcName="Sleep") returned 0x74f577b0 [0046.133] GetProcAddress (hModule=0x74f40000, lpProcName="SetFileAttributesW") returned 0x74f66510 [0046.133] GetProcAddress (hModule=0x74f40000, lpProcName="GetConsoleAliasesLengthW") returned 0x74fa5940 [0046.133] GetProcAddress (hModule=0x74f40000, lpProcName="CreateFileW") returned 0x74f66180 [0046.133] GetProcAddress (hModule=0x74f40000, lpProcName="CreateFileA") returned 0x74f66170 [0046.133] GetProcAddress (hModule=0x74f40000, lpProcName="DefineDosDeviceA") returned 0x74f7add0 [0046.133] GetProcAddress (hModule=0x74f40000, lpProcName="GetSystemFileCacheSize") returned 0x74f81380 [0046.133] GetProcAddress (hModule=0x74f40000, lpProcName="GetCurrentThread") returned 0x74f575c0 [0046.133] GetProcAddress (hModule=0x74f40000, lpProcName="GetSystemDirectoryA") returned 0x74f5f5c0 [0046.134] GetProcAddress (hModule=0x74f40000, lpProcName="Process32FirstW") returned 0x74f5ee30 [0046.134] GetProcAddress (hModule=0x74f40000, lpProcName="GlobalFindAtomW") returned 0x74f52320 [0046.134] GetProcAddress (hModule=0x74f40000, lpProcName="QueueUserAPC") returned 0x74f5fb00 [0046.134] GetProcAddress (hModule=0x74f40000, lpProcName="LocalSize") returned 0x74f63930 [0046.134] GetProcAddress (hModule=0x74f40000, lpProcName="FindAtomA") returned 0x74f5e640 [0046.134] GetProcAddress (hModule=0x74f40000, lpProcName="ExitProcess") returned 0x74f674f0 [0046.134] GetProcAddress (hModule=0x74f40000, lpProcName="FreeLibrary") returned 0x74f598f0 [0046.134] GetProcAddress (hModule=0x74f40000, lpProcName="GetSystemTime") returned 0x74f64a60 [0046.134] GetProcAddress (hModule=0x74f40000, lpProcName="GlobalUnlock") returned 0x74f52a10 [0046.134] GetProcAddress (hModule=0x74f40000, lpProcName="GetDriveTypeW") returned 0x74f66300 [0046.134] GetProcAddress (hModule=0x74f40000, lpProcName="FindFirstFileTransactedA") returned 0x74f7b220 [0046.134] GetProcAddress (hModule=0x74f40000, lpProcName="CreateTimerQueue") returned 0x74f80ae0 [0046.134] GetProcAddress (hModule=0x74f40000, lpProcName="SizeofResource") returned 0x74f58cb0 [0046.134] GetProcAddress (hModule=0x74f40000, lpProcName="LockResource") returned 0x74f57a50 [0046.134] GetProcAddress (hModule=0x74f40000, lpProcName="LoadResource") returned 0x74f578f0 [0046.135] GetProcAddress (hModule=0x74f40000, lpProcName="FindResourceW") returned 0x74f63a50 [0046.135] GetProcAddress (hModule=0x74f40000, lpProcName="GetModuleHandleW") returned 0x74f59660 [0046.135] GetProcAddress (hModule=0x74f40000, lpProcName="DecodePointer") returned 0x7770a200 [0046.135] GetProcAddress (hModule=0x74f40000, lpProcName="WriteConsoleW") returned 0x74f66920 [0046.135] GetProcAddress (hModule=0x74f40000, lpProcName="SetFilePointerEx") returned 0x74f66540 [0046.135] GetProcAddress (hModule=0x74f40000, lpProcName="GetConsoleMode") returned 0x74f66870 [0046.135] GetProcAddress (hModule=0x74f40000, lpProcName="GetConsoleCP") returned 0x74f66860 [0046.135] GetProcAddress (hModule=0x74f40000, lpProcName="FlushFileBuffers") returned 0x74f662a0 [0046.135] GetProcAddress (hModule=0x74f40000, lpProcName="HeapReAlloc") returned 0x776ebae0 [0046.135] GetProcAddress (hModule=0x74f40000, lpProcName="HeapSize") returned 0x77704f40 [0046.135] GetProcAddress (hModule=0x74f40000, lpProcName="GetLastError") returned 0x74f52db0 [0046.135] GetProcAddress (hModule=0x74f40000, lpProcName="UnmapViewOfFile") returned 0x74f594b0 [0046.135] GetProcAddress (hModule=0x74f40000, lpProcName="WaitForSingleObject") returned 0x74f66110 [0046.135] GetProcAddress (hModule=0x74f40000, lpProcName="ReadFile") returned 0x74f664a0 [0046.135] GetProcAddress (hModule=0x74f40000, lpProcName="FindClose") returned 0x74f661d0 [0046.136] GetProcAddress (hModule=0x74f40000, lpProcName="lstrlenA") returned 0x74f63a30 [0046.136] GetProcAddress (hModule=0x74f40000, lpProcName="SetFilePointer") returned 0x74f66530 [0046.136] GetProcAddress (hModule=0x74f40000, lpProcName="SetErrorMode") returned 0x74f58bf0 [0046.136] GetProcAddress (hModule=0x74f40000, lpProcName="VirtualAlloc") returned 0x74f58b70 [0046.136] GetProcAddress (hModule=0x74f40000, lpProcName="GetProcessHeap") returned 0x74f57910 [0046.136] GetProcAddress (hModule=0x74f40000, lpProcName="GetStringTypeW") returned 0x74f579b0 [0046.136] GetProcAddress (hModule=0x74f40000, lpProcName="GetFileType") returned 0x74f66390 [0046.136] GetProcAddress (hModule=0x74f40000, lpProcName="WriteFile") returned 0x74f66590 [0046.136] GetProcAddress (hModule=0x74f40000, lpProcName="FindNextFileW") returned 0x74f66290 [0046.136] GetProcAddress (hModule=0x74f40000, lpProcName="VirtualFree") returned 0x74f58c70 [0046.136] GetProcAddress (hModule=0x74f40000, lpProcName="FindFirstFileW") returned 0x74f66250 [0046.136] GetProcAddress (hModule=0x74f40000, lpProcName="Process32NextW") returned 0x74f5c9b0 [0046.136] GetProcAddress (hModule=0x74f40000, lpProcName="SetStdHandle") returned 0x74f826a0 [0046.136] GetProcAddress (hModule=0x74f40000, lpProcName="UnhandledExceptionFilter") returned 0x74f828e0 [0046.136] GetProcAddress (hModule=0x74f40000, lpProcName="SetUnhandledExceptionFilter") returned 0x74f5a2c0 [0046.137] GetProcAddress (hModule=0x74f40000, lpProcName="IsProcessorFeaturePresent") returned 0x74f59680 [0046.137] GetProcAddress (hModule=0x74f40000, lpProcName="QueryPerformanceCounter") returned 0x74f52dc0 [0046.137] GetProcAddress (hModule=0x74f40000, lpProcName="GetCurrentProcessId") returned 0x74f51d90 [0046.137] GetProcAddress (hModule=0x74f40000, lpProcName="GetCurrentThreadId") returned 0x74f51b90 [0046.137] GetProcAddress (hModule=0x74f40000, lpProcName="GetSystemTimeAsFileTime") returned 0x74f52b90 [0046.137] GetProcAddress (hModule=0x74f40000, lpProcName="InitializeSListHead") returned 0x77711fc0 [0046.137] GetProcAddress (hModule=0x74f40000, lpProcName="IsDebuggerPresent") returned 0x74f5a790 [0046.137] GetProcAddress (hModule=0x74f40000, lpProcName="GetStartupInfoW") returned 0x74f5a080 [0046.137] GetProcAddress (hModule=0x74f40000, lpProcName="RtlUnwind") returned 0x74f59a80 [0046.137] GetProcAddress (hModule=0x74f40000, lpProcName="SetLastError") returned 0x74f52af0 [0046.137] GetProcAddress (hModule=0x74f40000, lpProcName="EnterCriticalSection") returned 0x776f5e80 [0046.137] GetProcAddress (hModule=0x74f40000, lpProcName="LeaveCriticalSection") returned 0x776f5e00 [0046.137] GetProcAddress (hModule=0x74f40000, lpProcName="DeleteCriticalSection") returned 0x77709920 [0046.138] GetProcAddress (hModule=0x74f40000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x74f66020 [0046.138] GetProcAddress (hModule=0x74f40000, lpProcName="TlsAlloc") returned 0x74f59a70 [0046.138] GetProcAddress (hModule=0x74f40000, lpProcName="TlsGetValue") returned 0x74f51ba0 [0046.138] GetProcAddress (hModule=0x74f40000, lpProcName="TlsSetValue") returned 0x74f51da0 [0046.138] GetProcAddress (hModule=0x74f40000, lpProcName="TlsFree") returned 0x74f59930 [0046.138] GetProcAddress (hModule=0x74f40000, lpProcName="GetProcAddress") returned 0x74f57940 [0046.138] GetProcAddress (hModule=0x74f40000, lpProcName="LoadLibraryExW") returned 0x74f57920 [0046.138] GetProcAddress (hModule=0x74f40000, lpProcName="GetStdHandle") returned 0x74f5a060 [0046.138] GetProcAddress (hModule=0x74f40000, lpProcName="GetModuleFileNameA") returned 0x74f5a040 [0046.138] GetProcAddress (hModule=0x74f40000, lpProcName="MultiByteToWideChar") returned 0x74f52d60 [0046.138] GetProcAddress (hModule=0x74f40000, lpProcName="WideCharToMultiByte") returned 0x74f575a0 [0046.138] GetProcAddress (hModule=0x74f40000, lpProcName="GetModuleHandleExW") returned 0x74f59fa0 [0046.138] GetProcAddress (hModule=0x74f40000, lpProcName="HeapFree") returned 0x74f525e0 [0046.139] GetProcAddress (hModule=0x74f40000, lpProcName="HeapAlloc") returned 0x776eda90 [0046.139] GetProcAddress (hModule=0x74f40000, lpProcName="FindFirstFileExA") returned 0x74f66220 [0046.139] GetProcAddress (hModule=0x74f40000, lpProcName="FindNextFileA") returned 0x74f66270 [0046.139] GetProcAddress (hModule=0x74f40000, lpProcName="IsValidCodePage") returned 0x74f5a090 [0046.139] GetProcAddress (hModule=0x74f40000, lpProcName="GetOEMCP") returned 0x74f5fd10 [0046.139] GetProcAddress (hModule=0x74f40000, lpProcName="GetCPInfo") returned 0x74f59fc0 [0046.139] GetProcAddress (hModule=0x74f40000, lpProcName="GetCommandLineA") returned 0x74f5a3c0 [0046.139] GetProcAddress (hModule=0x74f40000, lpProcName="GetCommandLineW") returned 0x74f5a4b0 [0046.139] GetProcAddress (hModule=0x74f40000, lpProcName="GetEnvironmentStringsW") returned 0x74f5a3b0 [0046.139] GetProcAddress (hModule=0x74f40000, lpProcName="FreeEnvironmentStringsW") returned 0x74f5a0f0 [0046.139] GetProcAddress (hModule=0x74f40000, lpProcName="LCMapStringW") returned 0x74f59a40 [0046.139] GetProcAddress (hModule=0x74f40000, lpProcName="RaiseException") returned 0x74f59ec0 [0046.139] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x76c70000 [0046.140] GetProcAddress (hModule=0x76c70000, lpProcName="EqualRect") returned 0x76c9ca20 [0046.140] GetProcAddress (hModule=0x76c70000, lpProcName="DestroyIcon") returned 0x76c8d670 [0046.140] GetProcAddress (hModule=0x76c70000, lpProcName="EnumWindows") returned 0x76c9a0b0 [0046.140] GetProcAddress (hModule=0x76c70000, lpProcName="CharUpperBuffW") returned 0x76ca3140 [0046.140] GetProcAddress (hModule=0x76c70000, lpProcName="GetDesktopWindow") returned 0x76c81520 [0046.140] GetProcAddress (hModule=0x76c70000, lpProcName="GetWindowTextW") returned 0x76c94710 [0046.140] GetProcAddress (hModule=0x76c70000, lpProcName="wsprintfW") returned 0x76c9ddf0 [0046.140] GetProcAddress (hModule=0x76c70000, lpProcName="GetLastActivePopup") returned 0x76ca03f0 [0046.140] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x75030000 [0046.140] GetProcAddress (hModule=0x75030000, lpProcName="CreateDIBPatternBrush") returned 0x750e1920 [0046.140] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77550000 [0046.140] GetProcAddress (hModule=0x77550000, lpProcName="CryptGenKey") returned 0x77573fd0 [0046.140] GetProcAddress (hModule=0x77550000, lpProcName="CryptExportKey") returned 0x7756f8f0 [0046.140] GetProcAddress (hModule=0x77550000, lpProcName="CryptEncrypt") returned 0x77585bd0 [0046.140] GetProcAddress (hModule=0x77550000, lpProcName="CryptAcquireContextW") returned 0x77570730 [0046.140] GetProcAddress (hModule=0x77550000, lpProcName="CryptDestroyKey") returned 0x7756fc10 [0046.141] GetProcAddress (hModule=0x77550000, lpProcName="CryptReleaseContext") returned 0x77570ad0 [0046.141] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x75310000 [0050.944] GetProcAddress (hModule=0x75310000, lpProcName="SHGetSpecialFolderPathW") returned 0x7549edb0 [0050.944] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x74da0000 [0050.944] GetProcAddress (hModule=0x74da0000, lpProcName="StrStrW") returned 0x74db81d0 [0050.944] LoadLibraryA (lpLibFileName="CRYPT32.dll") returned 0x74880000 [0051.280] GetProcAddress (hModule=0x74880000, lpProcName="CryptImportPublicKeyInfoEx") returned 0x748b0cc0 [0051.280] GetProcAddress (hModule=0x74880000, lpProcName="CryptStringToBinaryA") returned 0x748c8040 [0051.280] GetProcAddress (hModule=0x74880000, lpProcName="CryptDecodeObjectEx") returned 0x748b4470 [0051.280] LoadLibraryA (lpLibFileName="MPR.dll") returned 0x74550000 [0051.395] GetProcAddress (hModule=0x74550000, lpProcName="WNetOpenEnumW") returned 0x74553810 [0051.395] GetProcAddress (hModule=0x74550000, lpProcName="WNetEnumResourceW") returned 0x745532d0 [0051.395] GetProcAddress (hModule=0x74550000, lpProcName="WNetCloseEnum") returned 0x74553710 [0051.395] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x19fa24 | out: lpSystemTimeAsFileTime=0x19fa24*(dwLowDateTime=0x4a3ea070, dwHighDateTime=0x1d4c174)) [0051.395] GetCurrentThreadId () returned 0xe8c [0051.395] GetCurrentProcessId () returned 0xe88 [0051.395] QueryPerformanceCounter (in: lpPerformanceCount=0x19fa1c | out: lpPerformanceCount=0x19fa1c*=1812220500000) returned 1 [0051.395] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0051.395] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75190000 [0051.396] GetProcAddress (hModule=0x75190000, lpProcName="InitializeCriticalSectionEx") returned 0x75243ae0 [0051.396] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75190000 [0051.396] GetProcAddress (hModule=0x75190000, lpProcName="FlsAlloc") returned 0x75246530 [0051.396] GetProcAddress (hModule=0x75190000, lpProcName="FlsSetValue") returned 0x75243770 [0051.396] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75190000 [0051.396] GetProcAddress (hModule=0x75190000, lpProcName="InitializeCriticalSectionEx") returned 0x75243ae0 [0051.396] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75190000 [0051.396] GetProcAddress (hModule=0x75190000, lpProcName="FlsAlloc") returned 0x75246530 [0051.396] GetLastError () returned 0x0 [0051.397] GetProcAddress (hModule=0x75190000, lpProcName="FlsGetValue") returned 0x7523a7b0 [0051.397] GetProcAddress (hModule=0x75190000, lpProcName="FlsSetValue") returned 0x75243770 [0051.397] SetLastError (dwErrCode=0x0) [0051.398] GetStartupInfoW (in: lpStartupInfo=0x19f94c | out: lpStartupInfo=0x19f94c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\tcpsov.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0051.398] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0051.398] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0051.398] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0051.398] GetCommandLineA () returned="\"C:\\Users\\CIiHmnxMn6Ps\\Desktop\\tcpsov.exe\" " [0051.398] GetCommandLineW () returned="\"C:\\Users\\CIiHmnxMn6Ps\\Desktop\\tcpsov.exe\" " [0051.398] GetLastError () returned 0x0 [0051.398] SetLastError (dwErrCode=0x0) [0051.398] GetLastError () returned 0x0 [0051.398] SetLastError (dwErrCode=0x0) [0051.398] GetACP () returned 0x4e4 [0051.398] IsValidCodePage (CodePage=0x4e4) returned 1 [0051.398] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x19f97c | out: lpCPInfo=0x19f97c) returned 1 [0051.398] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x19f244 | out: lpCPInfo=0x19f244) returned 1 [0051.398] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19f858, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0051.398] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19f858, cbMultiByte=256, lpWideCharStr=0x19efe8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0051.398] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x19f258 | out: lpCharType=0x19f258) returned 1 [0051.398] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19f858, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0051.398] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19f858, cbMultiByte=256, lpWideCharStr=0x19ef98, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0051.398] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75190000 [0051.398] GetProcAddress (hModule=0x75190000, lpProcName="LCMapStringEx") returned 0x75233690 [0051.398] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0051.398] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x19ed88, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0051.398] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x19f758, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\xf5\x3b\x28\xbb\x94\xf9\x19", lpUsedDefaultChar=0x0) returned 256 [0051.399] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19f858, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0051.399] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19f858, cbMultiByte=256, lpWideCharStr=0x19efa8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0051.399] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0051.399] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x19ed98, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0051.399] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x19f658, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x9f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\xf5\x3b\x28\xbb\x94\xf9\x19", lpUsedDefaultChar=0x0) returned 256 [0051.399] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x415cd8, nSize=0x104 | out: lpFilename="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\tcpsov.exe" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\tcpsov.exe")) returned 0x28 [0051.399] RtlInitializeSListHead (in: ListHead=0x415bf0 | out: ListHead=0x415bf0) [0051.399] GetLastError () returned 0x0 [0051.399] SetLastError (dwErrCode=0x0) [0051.399] GetEnvironmentStringsW () returned 0x22aaf0* [0051.399] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1331, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1331 [0051.399] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1331, lpMultiByteStr=0x22b560, cbMultiByte=1331, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1331 [0051.399] FreeEnvironmentStringsW (penv=0x22aaf0) returned 1 [0051.400] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0051.400] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x40183e) returned 0x425663 [0051.400] GetStartupInfoW (in: lpStartupInfo=0x19f9b4 | out: lpStartupInfo=0x19f9b4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\tcpsov.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0051.400] CreateFileA (lpFileName="popup.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\popup.txt"), dwDesiredAccess=0x0, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0051.400] GetLastError () returned 0x2 [0051.400] GetCurrentProcess () returned 0xffffffff [0051.400] GetCurrentThread () returned 0xfffffffe [0051.400] Sleep (dwMilliseconds=0x32) [0051.459] GetCurrentProcess () returned 0xffffffff [0051.459] GetCurrentThread () returned 0xfffffffe [0051.459] Sleep (dwMilliseconds=0x32) [0051.524] GetCurrentProcess () returned 0xffffffff [0051.524] GetCurrentThread () returned 0xfffffffe [0051.524] Sleep (dwMilliseconds=0x1388) [0056.541] EraseTape (hDevice=0x0, dwEraseType=0x0, bImmediate=0) returned 0x6 [0056.541] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.541] DefineDosDeviceA (dwFlags=0x0, lpDeviceName="1234567890", lpTargetPath="//...//") returned 1 [0056.542] FindAtomA (lpString="27") returned 0x0 [0056.542] EraseTape (hDevice=0x0, dwEraseType=0x1, bImmediate=0) returned 0x6 [0056.542] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.542] DefineDosDeviceA (dwFlags=0x1, lpDeviceName="1234567890", lpTargetPath="//...//") returned 1 [0056.542] FindAtomA (lpString="27") returned 0x0 [0056.542] EraseTape (hDevice=0x0, dwEraseType=0x2, bImmediate=0) returned 0x6 [0056.542] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.542] DefineDosDeviceA (dwFlags=0x2, lpDeviceName="1234567890", lpTargetPath="//...//") returned 1 [0056.542] FindAtomA (lpString="27") returned 0x0 [0056.542] EraseTape (hDevice=0x0, dwEraseType=0x3, bImmediate=0) returned 0x6 [0056.542] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.542] DefineDosDeviceA (dwFlags=0x3, lpDeviceName="1234567890", lpTargetPath="//...//") returned 1 [0056.543] FindAtomA (lpString="27") returned 0x0 [0056.543] EraseTape (hDevice=0x0, dwEraseType=0x4, bImmediate=0) returned 0x6 [0056.543] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.543] DefineDosDeviceA (dwFlags=0x4, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.543] GetCurrentThread () returned 0xfffffffe [0056.543] EraseTape (hDevice=0x0, dwEraseType=0x5, bImmediate=0) returned 0x6 [0056.543] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.543] DefineDosDeviceA (dwFlags=0x5, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.543] GetCurrentThread () returned 0xfffffffe [0056.543] EraseTape (hDevice=0x0, dwEraseType=0x6, bImmediate=0) returned 0x6 [0056.543] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.543] DefineDosDeviceA (dwFlags=0x6, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.543] GetCurrentThread () returned 0xfffffffe [0056.543] EraseTape (hDevice=0x0, dwEraseType=0x7, bImmediate=0) returned 0x6 [0056.543] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.543] DefineDosDeviceA (dwFlags=0x7, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.543] GetCurrentThread () returned 0xfffffffe [0056.543] EraseTape (hDevice=0x0, dwEraseType=0x8, bImmediate=0) returned 0x6 [0056.543] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.543] DefineDosDeviceA (dwFlags=0x8, lpDeviceName="1234567890", lpTargetPath="//...//") returned 1 [0056.544] FindAtomA (lpString="27") returned 0x0 [0056.544] EraseTape (hDevice=0x0, dwEraseType=0x9, bImmediate=0) returned 0x6 [0056.544] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.544] DefineDosDeviceA (dwFlags=0x9, lpDeviceName="1234567890", lpTargetPath="//...//") returned 1 [0056.544] FindAtomA (lpString="27") returned 0x0 [0056.544] EraseTape (hDevice=0x0, dwEraseType=0xa, bImmediate=0) returned 0x6 [0056.544] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.544] DefineDosDeviceA (dwFlags=0xa, lpDeviceName="1234567890", lpTargetPath="//...//") returned 1 [0056.544] FindAtomA (lpString="27") returned 0x0 [0056.544] EraseTape (hDevice=0x0, dwEraseType=0xb, bImmediate=0) returned 0x6 [0056.544] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.544] DefineDosDeviceA (dwFlags=0xb, lpDeviceName="1234567890", lpTargetPath="//...//") returned 1 [0056.544] FindAtomA (lpString="27") returned 0x0 [0056.544] EraseTape (hDevice=0x0, dwEraseType=0xc, bImmediate=0) returned 0x6 [0056.544] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.544] DefineDosDeviceA (dwFlags=0xc, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.544] GetCurrentThread () returned 0xfffffffe [0056.544] EraseTape (hDevice=0x0, dwEraseType=0xd, bImmediate=0) returned 0x6 [0056.544] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.544] DefineDosDeviceA (dwFlags=0xd, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.544] GetCurrentThread () returned 0xfffffffe [0056.544] EraseTape (hDevice=0x0, dwEraseType=0xe, bImmediate=0) returned 0x6 [0056.544] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.544] DefineDosDeviceA (dwFlags=0xe, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.545] GetCurrentThread () returned 0xfffffffe [0056.545] EraseTape (hDevice=0x0, dwEraseType=0xf, bImmediate=0) returned 0x6 [0056.545] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.545] DefineDosDeviceA (dwFlags=0xf, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.545] GetCurrentThread () returned 0xfffffffe [0056.545] EraseTape (hDevice=0x0, dwEraseType=0x10, bImmediate=0) returned 0x6 [0056.545] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.545] DefineDosDeviceA (dwFlags=0x10, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.545] GetCurrentThread () returned 0xfffffffe [0056.545] EraseTape (hDevice=0x0, dwEraseType=0x11, bImmediate=0) returned 0x6 [0056.545] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.545] DefineDosDeviceA (dwFlags=0x11, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.545] GetCurrentThread () returned 0xfffffffe [0056.545] EraseTape (hDevice=0x0, dwEraseType=0x12, bImmediate=0) returned 0x6 [0056.545] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.545] DefineDosDeviceA (dwFlags=0x12, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.545] GetCurrentThread () returned 0xfffffffe [0056.545] EraseTape (hDevice=0x0, dwEraseType=0x13, bImmediate=0) returned 0x6 [0056.545] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.545] DefineDosDeviceA (dwFlags=0x13, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.545] GetCurrentThread () returned 0xfffffffe [0056.545] EraseTape (hDevice=0x0, dwEraseType=0x14, bImmediate=0) returned 0x6 [0056.545] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.545] DefineDosDeviceA (dwFlags=0x14, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.545] GetCurrentThread () returned 0xfffffffe [0056.545] EraseTape (hDevice=0x0, dwEraseType=0x15, bImmediate=0) returned 0x6 [0056.545] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.545] DefineDosDeviceA (dwFlags=0x15, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.545] GetCurrentThread () returned 0xfffffffe [0056.545] EraseTape (hDevice=0x0, dwEraseType=0x16, bImmediate=0) returned 0x6 [0056.545] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.545] DefineDosDeviceA (dwFlags=0x16, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.545] GetCurrentThread () returned 0xfffffffe [0056.545] EraseTape (hDevice=0x0, dwEraseType=0x17, bImmediate=0) returned 0x6 [0056.546] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.546] DefineDosDeviceA (dwFlags=0x17, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.546] GetCurrentThread () returned 0xfffffffe [0056.546] EraseTape (hDevice=0x0, dwEraseType=0x18, bImmediate=0) returned 0x6 [0056.546] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.546] DefineDosDeviceA (dwFlags=0x18, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.546] GetCurrentThread () returned 0xfffffffe [0056.546] EraseTape (hDevice=0x0, dwEraseType=0x19, bImmediate=0) returned 0x6 [0056.546] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.546] DefineDosDeviceA (dwFlags=0x19, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.546] GetCurrentThread () returned 0xfffffffe [0056.546] EraseTape (hDevice=0x0, dwEraseType=0x1a, bImmediate=0) returned 0x6 [0056.546] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.546] DefineDosDeviceA (dwFlags=0x1a, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.546] GetCurrentThread () returned 0xfffffffe [0056.546] EraseTape (hDevice=0x0, dwEraseType=0x1b, bImmediate=0) returned 0x6 [0056.546] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.546] DefineDosDeviceA (dwFlags=0x1b, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.546] GetCurrentThread () returned 0xfffffffe [0056.546] EraseTape (hDevice=0x0, dwEraseType=0x1c, bImmediate=0) returned 0x6 [0056.546] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.546] DefineDosDeviceA (dwFlags=0x1c, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.546] GetCurrentThread () returned 0xfffffffe [0056.546] EraseTape (hDevice=0x0, dwEraseType=0x1d, bImmediate=0) returned 0x6 [0056.546] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.546] DefineDosDeviceA (dwFlags=0x1d, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.546] GetCurrentThread () returned 0xfffffffe [0056.546] EraseTape (hDevice=0x0, dwEraseType=0x1e, bImmediate=0) returned 0x6 [0056.546] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.546] DefineDosDeviceA (dwFlags=0x1e, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.546] GetCurrentThread () returned 0xfffffffe [0056.546] EraseTape (hDevice=0x0, dwEraseType=0x1f, bImmediate=0) returned 0x6 [0056.546] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.546] DefineDosDeviceA (dwFlags=0x1f, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.546] GetCurrentThread () returned 0xfffffffe [0056.546] EraseTape (hDevice=0x0, dwEraseType=0x20, bImmediate=0) returned 0x6 [0056.546] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.546] DefineDosDeviceA (dwFlags=0x20, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.546] GetCurrentThread () returned 0xfffffffe [0056.547] EraseTape (hDevice=0x0, dwEraseType=0x21, bImmediate=0) returned 0x6 [0056.547] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.547] DefineDosDeviceA (dwFlags=0x21, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.547] GetCurrentThread () returned 0xfffffffe [0056.547] EraseTape (hDevice=0x0, dwEraseType=0x22, bImmediate=0) returned 0x6 [0056.547] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.547] DefineDosDeviceA (dwFlags=0x22, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.547] GetCurrentThread () returned 0xfffffffe [0056.547] EraseTape (hDevice=0x0, dwEraseType=0x23, bImmediate=0) returned 0x6 [0056.547] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.547] DefineDosDeviceA (dwFlags=0x23, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.547] GetCurrentThread () returned 0xfffffffe [0056.547] EraseTape (hDevice=0x0, dwEraseType=0x24, bImmediate=0) returned 0x6 [0056.547] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.547] DefineDosDeviceA (dwFlags=0x24, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.547] GetCurrentThread () returned 0xfffffffe [0056.547] EraseTape (hDevice=0x0, dwEraseType=0x25, bImmediate=0) returned 0x6 [0056.547] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.547] DefineDosDeviceA (dwFlags=0x25, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.547] GetCurrentThread () returned 0xfffffffe [0056.547] EraseTape (hDevice=0x0, dwEraseType=0x26, bImmediate=0) returned 0x6 [0056.547] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.547] DefineDosDeviceA (dwFlags=0x26, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.547] GetCurrentThread () returned 0xfffffffe [0056.547] EraseTape (hDevice=0x0, dwEraseType=0x27, bImmediate=0) returned 0x6 [0056.547] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.547] DefineDosDeviceA (dwFlags=0x27, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.547] GetCurrentThread () returned 0xfffffffe [0056.547] EraseTape (hDevice=0x0, dwEraseType=0x28, bImmediate=0) returned 0x6 [0056.547] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.547] DefineDosDeviceA (dwFlags=0x28, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.547] GetCurrentThread () returned 0xfffffffe [0056.547] EraseTape (hDevice=0x0, dwEraseType=0x29, bImmediate=0) returned 0x6 [0056.547] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.547] DefineDosDeviceA (dwFlags=0x29, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.547] GetCurrentThread () returned 0xfffffffe [0056.547] EraseTape (hDevice=0x0, dwEraseType=0x2a, bImmediate=0) returned 0x6 [0056.547] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.547] DefineDosDeviceA (dwFlags=0x2a, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.548] GetCurrentThread () returned 0xfffffffe [0056.548] EraseTape (hDevice=0x0, dwEraseType=0x2b, bImmediate=0) returned 0x6 [0056.548] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.548] DefineDosDeviceA (dwFlags=0x2b, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.548] GetCurrentThread () returned 0xfffffffe [0056.548] EraseTape (hDevice=0x0, dwEraseType=0x2c, bImmediate=0) returned 0x6 [0056.548] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.548] DefineDosDeviceA (dwFlags=0x2c, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.548] GetCurrentThread () returned 0xfffffffe [0056.548] EraseTape (hDevice=0x0, dwEraseType=0x2d, bImmediate=0) returned 0x6 [0056.548] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.548] DefineDosDeviceA (dwFlags=0x2d, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.548] GetCurrentThread () returned 0xfffffffe [0056.548] EraseTape (hDevice=0x0, dwEraseType=0x2e, bImmediate=0) returned 0x6 [0056.548] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.548] DefineDosDeviceA (dwFlags=0x2e, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.548] GetCurrentThread () returned 0xfffffffe [0056.548] EraseTape (hDevice=0x0, dwEraseType=0x2f, bImmediate=0) returned 0x6 [0056.548] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.548] DefineDosDeviceA (dwFlags=0x2f, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.548] GetCurrentThread () returned 0xfffffffe [0056.548] EraseTape (hDevice=0x0, dwEraseType=0x30, bImmediate=0) returned 0x6 [0056.548] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.548] DefineDosDeviceA (dwFlags=0x30, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.548] GetCurrentThread () returned 0xfffffffe [0056.548] EraseTape (hDevice=0x0, dwEraseType=0x31, bImmediate=0) returned 0x6 [0056.548] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.548] DefineDosDeviceA (dwFlags=0x31, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.548] GetCurrentThread () returned 0xfffffffe [0056.548] EraseTape (hDevice=0x0, dwEraseType=0x32, bImmediate=0) returned 0x6 [0056.548] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.548] DefineDosDeviceA (dwFlags=0x32, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.548] GetCurrentThread () returned 0xfffffffe [0056.548] EraseTape (hDevice=0x0, dwEraseType=0x33, bImmediate=0) returned 0x6 [0056.548] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.548] DefineDosDeviceA (dwFlags=0x33, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.548] GetCurrentThread () returned 0xfffffffe [0056.548] EraseTape (hDevice=0x0, dwEraseType=0x34, bImmediate=0) returned 0x6 [0056.548] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.548] DefineDosDeviceA (dwFlags=0x34, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.548] GetCurrentThread () returned 0xfffffffe [0056.548] EraseTape (hDevice=0x0, dwEraseType=0x35, bImmediate=0) returned 0x6 [0056.549] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.549] DefineDosDeviceA (dwFlags=0x35, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.549] GetCurrentThread () returned 0xfffffffe [0056.549] EraseTape (hDevice=0x0, dwEraseType=0x36, bImmediate=0) returned 0x6 [0056.549] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.549] DefineDosDeviceA (dwFlags=0x36, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.549] GetCurrentThread () returned 0xfffffffe [0056.549] EraseTape (hDevice=0x0, dwEraseType=0x37, bImmediate=0) returned 0x6 [0056.549] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.549] DefineDosDeviceA (dwFlags=0x37, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.549] GetCurrentThread () returned 0xfffffffe [0056.549] EraseTape (hDevice=0x0, dwEraseType=0x38, bImmediate=0) returned 0x6 [0056.549] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.549] DefineDosDeviceA (dwFlags=0x38, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.549] GetCurrentThread () returned 0xfffffffe [0056.549] EraseTape (hDevice=0x0, dwEraseType=0x39, bImmediate=0) returned 0x6 [0056.549] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.549] DefineDosDeviceA (dwFlags=0x39, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.549] GetCurrentThread () returned 0xfffffffe [0056.549] EraseTape (hDevice=0x0, dwEraseType=0x3a, bImmediate=0) returned 0x6 [0056.549] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.549] DefineDosDeviceA (dwFlags=0x3a, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.549] GetCurrentThread () returned 0xfffffffe [0056.549] EraseTape (hDevice=0x0, dwEraseType=0x3b, bImmediate=0) returned 0x6 [0056.549] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.549] DefineDosDeviceA (dwFlags=0x3b, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.549] GetCurrentThread () returned 0xfffffffe [0056.549] EraseTape (hDevice=0x0, dwEraseType=0x3c, bImmediate=0) returned 0x6 [0056.549] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.549] DefineDosDeviceA (dwFlags=0x3c, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.549] GetCurrentThread () returned 0xfffffffe [0056.549] EraseTape (hDevice=0x0, dwEraseType=0x3d, bImmediate=0) returned 0x6 [0056.550] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.550] DefineDosDeviceA (dwFlags=0x3d, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.550] GetCurrentThread () returned 0xfffffffe [0056.550] EraseTape (hDevice=0x0, dwEraseType=0x3e, bImmediate=0) returned 0x6 [0056.550] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.550] DefineDosDeviceA (dwFlags=0x3e, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.550] GetCurrentThread () returned 0xfffffffe [0056.550] EraseTape (hDevice=0x0, dwEraseType=0x3f, bImmediate=0) returned 0x6 [0056.550] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.550] DefineDosDeviceA (dwFlags=0x3f, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.550] GetCurrentThread () returned 0xfffffffe [0056.550] EraseTape (hDevice=0x0, dwEraseType=0x40, bImmediate=0) returned 0x6 [0056.550] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.550] DefineDosDeviceA (dwFlags=0x40, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.550] GetCurrentThread () returned 0xfffffffe [0056.550] EraseTape (hDevice=0x0, dwEraseType=0x41, bImmediate=0) returned 0x6 [0056.550] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.550] DefineDosDeviceA (dwFlags=0x41, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.550] GetCurrentThread () returned 0xfffffffe [0056.550] EraseTape (hDevice=0x0, dwEraseType=0x42, bImmediate=0) returned 0x6 [0056.550] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.550] DefineDosDeviceA (dwFlags=0x42, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.550] GetCurrentThread () returned 0xfffffffe [0056.550] EraseTape (hDevice=0x0, dwEraseType=0x43, bImmediate=0) returned 0x6 [0056.550] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.550] DefineDosDeviceA (dwFlags=0x43, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.550] GetCurrentThread () returned 0xfffffffe [0056.550] EraseTape (hDevice=0x0, dwEraseType=0x44, bImmediate=0) returned 0x6 [0056.550] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.550] DefineDosDeviceA (dwFlags=0x44, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.550] GetCurrentThread () returned 0xfffffffe [0056.550] EraseTape (hDevice=0x0, dwEraseType=0x45, bImmediate=0) returned 0x6 [0056.550] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.550] DefineDosDeviceA (dwFlags=0x45, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.550] GetCurrentThread () returned 0xfffffffe [0056.550] EraseTape (hDevice=0x0, dwEraseType=0x46, bImmediate=0) returned 0x6 [0056.550] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.550] DefineDosDeviceA (dwFlags=0x46, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.550] GetCurrentThread () returned 0xfffffffe [0056.550] EraseTape (hDevice=0x0, dwEraseType=0x47, bImmediate=0) returned 0x6 [0056.550] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.550] DefineDosDeviceA (dwFlags=0x47, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.550] GetCurrentThread () returned 0xfffffffe [0056.550] EraseTape (hDevice=0x0, dwEraseType=0x48, bImmediate=0) returned 0x6 [0056.550] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.550] DefineDosDeviceA (dwFlags=0x48, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.551] GetCurrentThread () returned 0xfffffffe [0056.551] EraseTape (hDevice=0x0, dwEraseType=0x49, bImmediate=0) returned 0x6 [0056.551] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.551] DefineDosDeviceA (dwFlags=0x49, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.551] GetCurrentThread () returned 0xfffffffe [0056.551] EraseTape (hDevice=0x0, dwEraseType=0x4a, bImmediate=0) returned 0x6 [0056.551] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.551] DefineDosDeviceA (dwFlags=0x4a, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.551] GetCurrentThread () returned 0xfffffffe [0056.551] EraseTape (hDevice=0x0, dwEraseType=0x4b, bImmediate=0) returned 0x6 [0056.551] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.551] DefineDosDeviceA (dwFlags=0x4b, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.551] GetCurrentThread () returned 0xfffffffe [0056.551] EraseTape (hDevice=0x0, dwEraseType=0x4c, bImmediate=0) returned 0x6 [0056.551] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.551] DefineDosDeviceA (dwFlags=0x4c, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.551] GetCurrentThread () returned 0xfffffffe [0056.551] EraseTape (hDevice=0x0, dwEraseType=0x4d, bImmediate=0) returned 0x6 [0056.551] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.551] DefineDosDeviceA (dwFlags=0x4d, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.551] GetCurrentThread () returned 0xfffffffe [0056.551] EraseTape (hDevice=0x0, dwEraseType=0x4e, bImmediate=0) returned 0x6 [0056.551] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.551] DefineDosDeviceA (dwFlags=0x4e, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.551] GetCurrentThread () returned 0xfffffffe [0056.551] EraseTape (hDevice=0x0, dwEraseType=0x4f, bImmediate=0) returned 0x6 [0056.551] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.551] DefineDosDeviceA (dwFlags=0x4f, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.551] GetCurrentThread () returned 0xfffffffe [0056.551] EraseTape (hDevice=0x0, dwEraseType=0x50, bImmediate=0) returned 0x6 [0056.551] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.551] DefineDosDeviceA (dwFlags=0x50, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.551] GetCurrentThread () returned 0xfffffffe [0056.551] EraseTape (hDevice=0x0, dwEraseType=0x51, bImmediate=0) returned 0x6 [0056.551] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.551] DefineDosDeviceA (dwFlags=0x51, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.551] GetCurrentThread () returned 0xfffffffe [0056.551] EraseTape (hDevice=0x0, dwEraseType=0x52, bImmediate=0) returned 0x6 [0056.551] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.551] DefineDosDeviceA (dwFlags=0x52, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.551] GetCurrentThread () returned 0xfffffffe [0056.551] EraseTape (hDevice=0x0, dwEraseType=0x53, bImmediate=0) returned 0x6 [0056.552] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.552] DefineDosDeviceA (dwFlags=0x53, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.552] GetCurrentThread () returned 0xfffffffe [0056.552] EraseTape (hDevice=0x0, dwEraseType=0x54, bImmediate=0) returned 0x6 [0056.552] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.552] DefineDosDeviceA (dwFlags=0x54, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.552] GetCurrentThread () returned 0xfffffffe [0056.552] EraseTape (hDevice=0x0, dwEraseType=0x55, bImmediate=0) returned 0x6 [0056.552] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.552] DefineDosDeviceA (dwFlags=0x55, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.552] GetCurrentThread () returned 0xfffffffe [0056.552] EraseTape (hDevice=0x0, dwEraseType=0x56, bImmediate=0) returned 0x6 [0056.552] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.552] DefineDosDeviceA (dwFlags=0x56, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.552] GetCurrentThread () returned 0xfffffffe [0056.552] EraseTape (hDevice=0x0, dwEraseType=0x57, bImmediate=0) returned 0x6 [0056.552] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.552] DefineDosDeviceA (dwFlags=0x57, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.552] GetCurrentThread () returned 0xfffffffe [0056.552] EraseTape (hDevice=0x0, dwEraseType=0x58, bImmediate=0) returned 0x6 [0056.552] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.552] DefineDosDeviceA (dwFlags=0x58, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.552] GetCurrentThread () returned 0xfffffffe [0056.552] EraseTape (hDevice=0x0, dwEraseType=0x59, bImmediate=0) returned 0x6 [0056.552] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.552] DefineDosDeviceA (dwFlags=0x59, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.552] GetCurrentThread () returned 0xfffffffe [0056.552] EraseTape (hDevice=0x0, dwEraseType=0x5a, bImmediate=0) returned 0x6 [0056.552] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.552] DefineDosDeviceA (dwFlags=0x5a, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.552] GetCurrentThread () returned 0xfffffffe [0056.552] EraseTape (hDevice=0x0, dwEraseType=0x5b, bImmediate=0) returned 0x6 [0056.552] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.552] DefineDosDeviceA (dwFlags=0x5b, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.552] GetCurrentThread () returned 0xfffffffe [0056.552] EraseTape (hDevice=0x0, dwEraseType=0x5c, bImmediate=0) returned 0x6 [0056.552] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.552] DefineDosDeviceA (dwFlags=0x5c, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.552] GetCurrentThread () returned 0xfffffffe [0056.552] EraseTape (hDevice=0x0, dwEraseType=0x5d, bImmediate=0) returned 0x6 [0056.552] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.552] DefineDosDeviceA (dwFlags=0x5d, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.552] GetCurrentThread () returned 0xfffffffe [0056.552] EraseTape (hDevice=0x0, dwEraseType=0x5e, bImmediate=0) returned 0x6 [0056.553] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.553] DefineDosDeviceA (dwFlags=0x5e, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.553] GetCurrentThread () returned 0xfffffffe [0056.553] EraseTape (hDevice=0x0, dwEraseType=0x5f, bImmediate=0) returned 0x6 [0056.553] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.553] DefineDosDeviceA (dwFlags=0x5f, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.553] GetCurrentThread () returned 0xfffffffe [0056.553] EraseTape (hDevice=0x0, dwEraseType=0x60, bImmediate=0) returned 0x6 [0056.553] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.553] DefineDosDeviceA (dwFlags=0x60, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.553] GetCurrentThread () returned 0xfffffffe [0056.553] EraseTape (hDevice=0x0, dwEraseType=0x61, bImmediate=0) returned 0x6 [0056.553] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.553] DefineDosDeviceA (dwFlags=0x61, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.553] GetCurrentThread () returned 0xfffffffe [0056.553] EraseTape (hDevice=0x0, dwEraseType=0x62, bImmediate=0) returned 0x6 [0056.553] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.553] DefineDosDeviceA (dwFlags=0x62, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.553] GetCurrentThread () returned 0xfffffffe [0056.553] EraseTape (hDevice=0x0, dwEraseType=0x63, bImmediate=0) returned 0x6 [0056.553] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.553] DefineDosDeviceA (dwFlags=0x63, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.553] GetCurrentThread () returned 0xfffffffe [0056.553] EraseTape (hDevice=0x0, dwEraseType=0x64, bImmediate=0) returned 0x6 [0056.553] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.553] DefineDosDeviceA (dwFlags=0x64, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.553] GetCurrentThread () returned 0xfffffffe [0056.553] EraseTape (hDevice=0x0, dwEraseType=0x65, bImmediate=0) returned 0x6 [0056.553] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.553] DefineDosDeviceA (dwFlags=0x65, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.553] GetCurrentThread () returned 0xfffffffe [0056.553] EraseTape (hDevice=0x0, dwEraseType=0x66, bImmediate=0) returned 0x6 [0056.553] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.553] DefineDosDeviceA (dwFlags=0x66, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.553] GetCurrentThread () returned 0xfffffffe [0056.553] EraseTape (hDevice=0x0, dwEraseType=0x67, bImmediate=0) returned 0x6 [0056.553] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.553] DefineDosDeviceA (dwFlags=0x67, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.553] GetCurrentThread () returned 0xfffffffe [0056.553] EraseTape (hDevice=0x0, dwEraseType=0x68, bImmediate=0) returned 0x6 [0056.553] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.554] DefineDosDeviceA (dwFlags=0x68, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.554] GetCurrentThread () returned 0xfffffffe [0056.554] EraseTape (hDevice=0x0, dwEraseType=0x69, bImmediate=0) returned 0x6 [0056.554] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.554] DefineDosDeviceA (dwFlags=0x69, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.554] GetCurrentThread () returned 0xfffffffe [0056.554] EraseTape (hDevice=0x0, dwEraseType=0x6a, bImmediate=0) returned 0x6 [0056.554] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.554] DefineDosDeviceA (dwFlags=0x6a, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.554] GetCurrentThread () returned 0xfffffffe [0056.554] EraseTape (hDevice=0x0, dwEraseType=0x6b, bImmediate=0) returned 0x6 [0056.554] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.554] DefineDosDeviceA (dwFlags=0x6b, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.554] GetCurrentThread () returned 0xfffffffe [0056.554] EraseTape (hDevice=0x0, dwEraseType=0x6c, bImmediate=0) returned 0x6 [0056.554] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.554] DefineDosDeviceA (dwFlags=0x6c, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.554] GetCurrentThread () returned 0xfffffffe [0056.554] EraseTape (hDevice=0x0, dwEraseType=0x6d, bImmediate=0) returned 0x6 [0056.554] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.554] DefineDosDeviceA (dwFlags=0x6d, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.554] GetCurrentThread () returned 0xfffffffe [0056.554] EraseTape (hDevice=0x0, dwEraseType=0x6e, bImmediate=0) returned 0x6 [0056.554] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.554] DefineDosDeviceA (dwFlags=0x6e, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.554] GetCurrentThread () returned 0xfffffffe [0056.554] EraseTape (hDevice=0x0, dwEraseType=0x6f, bImmediate=0) returned 0x6 [0056.554] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.554] DefineDosDeviceA (dwFlags=0x6f, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.554] GetCurrentThread () returned 0xfffffffe [0056.554] EraseTape (hDevice=0x0, dwEraseType=0x70, bImmediate=0) returned 0x6 [0056.554] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.554] DefineDosDeviceA (dwFlags=0x70, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.554] GetCurrentThread () returned 0xfffffffe [0056.554] EraseTape (hDevice=0x0, dwEraseType=0x71, bImmediate=0) returned 0x6 [0056.554] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.554] DefineDosDeviceA (dwFlags=0x71, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.554] GetCurrentThread () returned 0xfffffffe [0056.554] EraseTape (hDevice=0x0, dwEraseType=0x72, bImmediate=0) returned 0x6 [0056.554] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.554] DefineDosDeviceA (dwFlags=0x72, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.555] GetCurrentThread () returned 0xfffffffe [0056.555] EraseTape (hDevice=0x0, dwEraseType=0x73, bImmediate=0) returned 0x6 [0056.555] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.555] DefineDosDeviceA (dwFlags=0x73, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.555] GetCurrentThread () returned 0xfffffffe [0056.555] EraseTape (hDevice=0x0, dwEraseType=0x74, bImmediate=0) returned 0x6 [0056.555] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.555] DefineDosDeviceA (dwFlags=0x74, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.555] GetCurrentThread () returned 0xfffffffe [0056.555] EraseTape (hDevice=0x0, dwEraseType=0x75, bImmediate=0) returned 0x6 [0056.555] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.555] DefineDosDeviceA (dwFlags=0x75, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.555] GetCurrentThread () returned 0xfffffffe [0056.555] EraseTape (hDevice=0x0, dwEraseType=0x76, bImmediate=0) returned 0x6 [0056.555] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.555] DefineDosDeviceA (dwFlags=0x76, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.555] GetCurrentThread () returned 0xfffffffe [0056.555] EraseTape (hDevice=0x0, dwEraseType=0x77, bImmediate=0) returned 0x6 [0056.555] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.555] DefineDosDeviceA (dwFlags=0x77, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.555] GetCurrentThread () returned 0xfffffffe [0056.555] EraseTape (hDevice=0x0, dwEraseType=0x78, bImmediate=0) returned 0x6 [0056.555] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.555] DefineDosDeviceA (dwFlags=0x78, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.555] GetCurrentThread () returned 0xfffffffe [0056.555] EraseTape (hDevice=0x0, dwEraseType=0x79, bImmediate=0) returned 0x6 [0056.555] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.555] DefineDosDeviceA (dwFlags=0x79, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.555] GetCurrentThread () returned 0xfffffffe [0056.555] EraseTape (hDevice=0x0, dwEraseType=0x7a, bImmediate=0) returned 0x6 [0056.555] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.555] DefineDosDeviceA (dwFlags=0x7a, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.555] GetCurrentThread () returned 0xfffffffe [0056.555] EraseTape (hDevice=0x0, dwEraseType=0x7b, bImmediate=0) returned 0x6 [0056.556] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.556] DefineDosDeviceA (dwFlags=0x7b, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.556] GetCurrentThread () returned 0xfffffffe [0056.556] EraseTape (hDevice=0x0, dwEraseType=0x7c, bImmediate=0) returned 0x6 [0056.556] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.556] DefineDosDeviceA (dwFlags=0x7c, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.556] GetCurrentThread () returned 0xfffffffe [0056.556] EraseTape (hDevice=0x0, dwEraseType=0x7d, bImmediate=0) returned 0x6 [0056.556] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.556] DefineDosDeviceA (dwFlags=0x7d, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.556] GetCurrentThread () returned 0xfffffffe [0056.556] EraseTape (hDevice=0x0, dwEraseType=0x7e, bImmediate=0) returned 0x6 [0056.556] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.556] DefineDosDeviceA (dwFlags=0x7e, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.556] GetCurrentThread () returned 0xfffffffe [0056.556] EraseTape (hDevice=0x0, dwEraseType=0x7f, bImmediate=0) returned 0x6 [0056.556] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.556] DefineDosDeviceA (dwFlags=0x7f, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.556] GetCurrentThread () returned 0xfffffffe [0056.556] EraseTape (hDevice=0x0, dwEraseType=0x80, bImmediate=0) returned 0x6 [0056.556] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.556] DefineDosDeviceA (dwFlags=0x80, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.556] GetCurrentThread () returned 0xfffffffe [0056.556] EraseTape (hDevice=0x0, dwEraseType=0x81, bImmediate=0) returned 0x6 [0056.556] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.556] DefineDosDeviceA (dwFlags=0x81, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.556] GetCurrentThread () returned 0xfffffffe [0056.556] EraseTape (hDevice=0x0, dwEraseType=0x82, bImmediate=0) returned 0x6 [0056.556] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.556] DefineDosDeviceA (dwFlags=0x82, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.556] GetCurrentThread () returned 0xfffffffe [0056.556] EraseTape (hDevice=0x0, dwEraseType=0x83, bImmediate=0) returned 0x6 [0056.556] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.556] DefineDosDeviceA (dwFlags=0x83, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.556] GetCurrentThread () returned 0xfffffffe [0056.556] EraseTape (hDevice=0x0, dwEraseType=0x84, bImmediate=0) returned 0x6 [0056.556] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.556] DefineDosDeviceA (dwFlags=0x84, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.556] GetCurrentThread () returned 0xfffffffe [0056.556] EraseTape (hDevice=0x0, dwEraseType=0x85, bImmediate=0) returned 0x6 [0056.556] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.556] DefineDosDeviceA (dwFlags=0x85, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.556] GetCurrentThread () returned 0xfffffffe [0056.556] EraseTape (hDevice=0x0, dwEraseType=0x86, bImmediate=0) returned 0x6 [0056.557] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.557] DefineDosDeviceA (dwFlags=0x86, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.557] GetCurrentThread () returned 0xfffffffe [0056.557] EraseTape (hDevice=0x0, dwEraseType=0x87, bImmediate=0) returned 0x6 [0056.557] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.557] DefineDosDeviceA (dwFlags=0x87, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.557] GetCurrentThread () returned 0xfffffffe [0056.557] EraseTape (hDevice=0x0, dwEraseType=0x88, bImmediate=0) returned 0x6 [0056.557] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.557] DefineDosDeviceA (dwFlags=0x88, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.557] GetCurrentThread () returned 0xfffffffe [0056.557] EraseTape (hDevice=0x0, dwEraseType=0x89, bImmediate=0) returned 0x6 [0056.557] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.557] DefineDosDeviceA (dwFlags=0x89, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.557] GetCurrentThread () returned 0xfffffffe [0056.557] EraseTape (hDevice=0x0, dwEraseType=0x8a, bImmediate=0) returned 0x6 [0056.557] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.557] DefineDosDeviceA (dwFlags=0x8a, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.557] GetCurrentThread () returned 0xfffffffe [0056.557] EraseTape (hDevice=0x0, dwEraseType=0x8b, bImmediate=0) returned 0x6 [0056.557] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.557] DefineDosDeviceA (dwFlags=0x8b, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.557] GetCurrentThread () returned 0xfffffffe [0056.557] EraseTape (hDevice=0x0, dwEraseType=0x8c, bImmediate=0) returned 0x6 [0056.557] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.557] DefineDosDeviceA (dwFlags=0x8c, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.557] GetCurrentThread () returned 0xfffffffe [0056.557] EraseTape (hDevice=0x0, dwEraseType=0x8d, bImmediate=0) returned 0x6 [0056.557] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.557] DefineDosDeviceA (dwFlags=0x8d, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.557] GetCurrentThread () returned 0xfffffffe [0056.557] EraseTape (hDevice=0x0, dwEraseType=0x8e, bImmediate=0) returned 0x6 [0056.557] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.557] DefineDosDeviceA (dwFlags=0x8e, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.557] GetCurrentThread () returned 0xfffffffe [0056.557] EraseTape (hDevice=0x0, dwEraseType=0x8f, bImmediate=0) returned 0x6 [0056.557] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.557] DefineDosDeviceA (dwFlags=0x8f, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.557] GetCurrentThread () returned 0xfffffffe [0056.557] EraseTape (hDevice=0x0, dwEraseType=0x90, bImmediate=0) returned 0x6 [0056.557] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.557] DefineDosDeviceA (dwFlags=0x90, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.557] GetCurrentThread () returned 0xfffffffe [0056.557] EraseTape (hDevice=0x0, dwEraseType=0x91, bImmediate=0) returned 0x6 [0056.558] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.558] DefineDosDeviceA (dwFlags=0x91, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.558] GetCurrentThread () returned 0xfffffffe [0056.558] EraseTape (hDevice=0x0, dwEraseType=0x92, bImmediate=0) returned 0x6 [0056.558] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.558] DefineDosDeviceA (dwFlags=0x92, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.558] GetCurrentThread () returned 0xfffffffe [0056.558] EraseTape (hDevice=0x0, dwEraseType=0x93, bImmediate=0) returned 0x6 [0056.558] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.558] DefineDosDeviceA (dwFlags=0x93, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.558] GetCurrentThread () returned 0xfffffffe [0056.558] EraseTape (hDevice=0x0, dwEraseType=0x94, bImmediate=0) returned 0x6 [0056.558] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.558] DefineDosDeviceA (dwFlags=0x94, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.558] GetCurrentThread () returned 0xfffffffe [0056.558] EraseTape (hDevice=0x0, dwEraseType=0x95, bImmediate=0) returned 0x6 [0056.558] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.558] DefineDosDeviceA (dwFlags=0x95, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.558] GetCurrentThread () returned 0xfffffffe [0056.558] EraseTape (hDevice=0x0, dwEraseType=0x96, bImmediate=0) returned 0x6 [0056.558] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.558] DefineDosDeviceA (dwFlags=0x96, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.558] GetCurrentThread () returned 0xfffffffe [0056.558] EraseTape (hDevice=0x0, dwEraseType=0x97, bImmediate=0) returned 0x6 [0056.558] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.558] DefineDosDeviceA (dwFlags=0x97, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.558] GetCurrentThread () returned 0xfffffffe [0056.558] EraseTape (hDevice=0x0, dwEraseType=0x98, bImmediate=0) returned 0x6 [0056.558] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.558] DefineDosDeviceA (dwFlags=0x98, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.558] GetCurrentThread () returned 0xfffffffe [0056.558] EraseTape (hDevice=0x0, dwEraseType=0x99, bImmediate=0) returned 0x6 [0056.558] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.558] DefineDosDeviceA (dwFlags=0x99, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.558] GetCurrentThread () returned 0xfffffffe [0056.558] EraseTape (hDevice=0x0, dwEraseType=0x9a, bImmediate=0) returned 0x6 [0056.558] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.558] DefineDosDeviceA (dwFlags=0x9a, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.558] GetCurrentThread () returned 0xfffffffe [0056.558] EraseTape (hDevice=0x0, dwEraseType=0x9b, bImmediate=0) returned 0x6 [0056.558] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.558] DefineDosDeviceA (dwFlags=0x9b, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.558] GetCurrentThread () returned 0xfffffffe [0056.558] EraseTape (hDevice=0x0, dwEraseType=0x9c, bImmediate=0) returned 0x6 [0056.558] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.559] DefineDosDeviceA (dwFlags=0x9c, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.559] GetCurrentThread () returned 0xfffffffe [0056.559] EraseTape (hDevice=0x0, dwEraseType=0x9d, bImmediate=0) returned 0x6 [0056.559] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.559] DefineDosDeviceA (dwFlags=0x9d, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.559] GetCurrentThread () returned 0xfffffffe [0056.559] EraseTape (hDevice=0x0, dwEraseType=0x9e, bImmediate=0) returned 0x6 [0056.559] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.559] DefineDosDeviceA (dwFlags=0x9e, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.559] GetCurrentThread () returned 0xfffffffe [0056.559] EraseTape (hDevice=0x0, dwEraseType=0x9f, bImmediate=0) returned 0x6 [0056.559] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.559] DefineDosDeviceA (dwFlags=0x9f, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.559] GetCurrentThread () returned 0xfffffffe [0056.559] EraseTape (hDevice=0x0, dwEraseType=0xa0, bImmediate=0) returned 0x6 [0056.559] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.559] DefineDosDeviceA (dwFlags=0xa0, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.559] GetCurrentThread () returned 0xfffffffe [0056.559] EraseTape (hDevice=0x0, dwEraseType=0xa1, bImmediate=0) returned 0x6 [0056.559] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.559] DefineDosDeviceA (dwFlags=0xa1, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.559] GetCurrentThread () returned 0xfffffffe [0056.559] EraseTape (hDevice=0x0, dwEraseType=0xa2, bImmediate=0) returned 0x6 [0056.559] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.559] DefineDosDeviceA (dwFlags=0xa2, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.559] GetCurrentThread () returned 0xfffffffe [0056.559] EraseTape (hDevice=0x0, dwEraseType=0xa3, bImmediate=0) returned 0x6 [0056.559] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.559] DefineDosDeviceA (dwFlags=0xa3, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.559] GetCurrentThread () returned 0xfffffffe [0056.559] EraseTape (hDevice=0x0, dwEraseType=0xa4, bImmediate=0) returned 0x6 [0056.559] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.559] DefineDosDeviceA (dwFlags=0xa4, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.559] GetCurrentThread () returned 0xfffffffe [0056.559] EraseTape (hDevice=0x0, dwEraseType=0xa5, bImmediate=0) returned 0x6 [0056.559] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.559] DefineDosDeviceA (dwFlags=0xa5, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.559] GetCurrentThread () returned 0xfffffffe [0056.559] EraseTape (hDevice=0x0, dwEraseType=0xa6, bImmediate=0) returned 0x6 [0056.559] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.559] DefineDosDeviceA (dwFlags=0xa6, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.559] GetCurrentThread () returned 0xfffffffe [0056.559] EraseTape (hDevice=0x0, dwEraseType=0xa7, bImmediate=0) returned 0x6 [0056.559] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.559] DefineDosDeviceA (dwFlags=0xa7, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.559] GetCurrentThread () returned 0xfffffffe [0056.560] EraseTape (hDevice=0x0, dwEraseType=0xa8, bImmediate=0) returned 0x6 [0056.560] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.560] DefineDosDeviceA (dwFlags=0xa8, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.560] GetCurrentThread () returned 0xfffffffe [0056.560] EraseTape (hDevice=0x0, dwEraseType=0xa9, bImmediate=0) returned 0x6 [0056.560] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.560] DefineDosDeviceA (dwFlags=0xa9, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.560] GetCurrentThread () returned 0xfffffffe [0056.560] EraseTape (hDevice=0x0, dwEraseType=0xaa, bImmediate=0) returned 0x6 [0056.560] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.560] DefineDosDeviceA (dwFlags=0xaa, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.560] GetCurrentThread () returned 0xfffffffe [0056.560] EraseTape (hDevice=0x0, dwEraseType=0xab, bImmediate=0) returned 0x6 [0056.560] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.560] DefineDosDeviceA (dwFlags=0xab, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.560] GetCurrentThread () returned 0xfffffffe [0056.560] EraseTape (hDevice=0x0, dwEraseType=0xac, bImmediate=0) returned 0x6 [0056.560] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.560] DefineDosDeviceA (dwFlags=0xac, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.560] GetCurrentThread () returned 0xfffffffe [0056.560] EraseTape (hDevice=0x0, dwEraseType=0xad, bImmediate=0) returned 0x6 [0056.560] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.560] DefineDosDeviceA (dwFlags=0xad, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.560] GetCurrentThread () returned 0xfffffffe [0056.560] EraseTape (hDevice=0x0, dwEraseType=0xae, bImmediate=0) returned 0x6 [0056.560] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.560] DefineDosDeviceA (dwFlags=0xae, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.560] GetCurrentThread () returned 0xfffffffe [0056.560] EraseTape (hDevice=0x0, dwEraseType=0xaf, bImmediate=0) returned 0x6 [0056.560] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.560] DefineDosDeviceA (dwFlags=0xaf, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.560] GetCurrentThread () returned 0xfffffffe [0056.560] EraseTape (hDevice=0x0, dwEraseType=0xb0, bImmediate=0) returned 0x6 [0056.560] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.560] DefineDosDeviceA (dwFlags=0xb0, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.560] GetCurrentThread () returned 0xfffffffe [0056.560] EraseTape (hDevice=0x0, dwEraseType=0xb1, bImmediate=0) returned 0x6 [0056.560] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.560] DefineDosDeviceA (dwFlags=0xb1, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.560] GetCurrentThread () returned 0xfffffffe [0056.560] EraseTape (hDevice=0x0, dwEraseType=0xb2, bImmediate=0) returned 0x6 [0056.560] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.560] DefineDosDeviceA (dwFlags=0xb2, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.560] GetCurrentThread () returned 0xfffffffe [0056.560] EraseTape (hDevice=0x0, dwEraseType=0xb3, bImmediate=0) returned 0x6 [0056.561] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.561] DefineDosDeviceA (dwFlags=0xb3, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.561] GetCurrentThread () returned 0xfffffffe [0056.561] EraseTape (hDevice=0x0, dwEraseType=0xb4, bImmediate=0) returned 0x6 [0056.561] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.561] DefineDosDeviceA (dwFlags=0xb4, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.561] GetCurrentThread () returned 0xfffffffe [0056.561] EraseTape (hDevice=0x0, dwEraseType=0xb5, bImmediate=0) returned 0x6 [0056.561] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.561] DefineDosDeviceA (dwFlags=0xb5, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.561] GetCurrentThread () returned 0xfffffffe [0056.561] EraseTape (hDevice=0x0, dwEraseType=0xb6, bImmediate=0) returned 0x6 [0056.561] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.561] DefineDosDeviceA (dwFlags=0xb6, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.561] GetCurrentThread () returned 0xfffffffe [0056.561] EraseTape (hDevice=0x0, dwEraseType=0xb7, bImmediate=0) returned 0x6 [0056.561] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.561] DefineDosDeviceA (dwFlags=0xb7, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.561] GetCurrentThread () returned 0xfffffffe [0056.561] EraseTape (hDevice=0x0, dwEraseType=0xb8, bImmediate=0) returned 0x6 [0056.561] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.561] DefineDosDeviceA (dwFlags=0xb8, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.561] GetCurrentThread () returned 0xfffffffe [0056.561] EraseTape (hDevice=0x0, dwEraseType=0xb9, bImmediate=0) returned 0x6 [0056.561] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.561] DefineDosDeviceA (dwFlags=0xb9, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.561] GetCurrentThread () returned 0xfffffffe [0056.561] EraseTape (hDevice=0x0, dwEraseType=0xba, bImmediate=0) returned 0x6 [0056.561] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.561] DefineDosDeviceA (dwFlags=0xba, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.561] GetCurrentThread () returned 0xfffffffe [0056.561] EraseTape (hDevice=0x0, dwEraseType=0xbb, bImmediate=0) returned 0x6 [0056.561] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.561] DefineDosDeviceA (dwFlags=0xbb, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.561] GetCurrentThread () returned 0xfffffffe [0056.561] EraseTape (hDevice=0x0, dwEraseType=0xbc, bImmediate=0) returned 0x6 [0056.561] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.561] DefineDosDeviceA (dwFlags=0xbc, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.561] GetCurrentThread () returned 0xfffffffe [0056.561] EraseTape (hDevice=0x0, dwEraseType=0xbd, bImmediate=0) returned 0x6 [0056.561] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.561] DefineDosDeviceA (dwFlags=0xbd, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.561] GetCurrentThread () returned 0xfffffffe [0056.561] EraseTape (hDevice=0x0, dwEraseType=0xbe, bImmediate=0) returned 0x6 [0056.561] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.562] DefineDosDeviceA (dwFlags=0xbe, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.562] GetCurrentThread () returned 0xfffffffe [0056.562] EraseTape (hDevice=0x0, dwEraseType=0xbf, bImmediate=0) returned 0x6 [0056.562] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.562] DefineDosDeviceA (dwFlags=0xbf, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.562] GetCurrentThread () returned 0xfffffffe [0056.562] EraseTape (hDevice=0x0, dwEraseType=0xc0, bImmediate=0) returned 0x6 [0056.562] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.562] DefineDosDeviceA (dwFlags=0xc0, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.562] GetCurrentThread () returned 0xfffffffe [0056.562] EraseTape (hDevice=0x0, dwEraseType=0xc1, bImmediate=0) returned 0x6 [0056.562] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.562] DefineDosDeviceA (dwFlags=0xc1, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.562] GetCurrentThread () returned 0xfffffffe [0056.562] EraseTape (hDevice=0x0, dwEraseType=0xc2, bImmediate=0) returned 0x6 [0056.562] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.562] DefineDosDeviceA (dwFlags=0xc2, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.562] GetCurrentThread () returned 0xfffffffe [0056.562] EraseTape (hDevice=0x0, dwEraseType=0xc3, bImmediate=0) returned 0x6 [0056.562] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.562] DefineDosDeviceA (dwFlags=0xc3, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.562] GetCurrentThread () returned 0xfffffffe [0056.562] EraseTape (hDevice=0x0, dwEraseType=0xc4, bImmediate=0) returned 0x6 [0056.562] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.562] DefineDosDeviceA (dwFlags=0xc4, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.562] GetCurrentThread () returned 0xfffffffe [0056.562] EraseTape (hDevice=0x0, dwEraseType=0xc5, bImmediate=0) returned 0x6 [0056.562] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.562] DefineDosDeviceA (dwFlags=0xc5, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.562] GetCurrentThread () returned 0xfffffffe [0056.562] EraseTape (hDevice=0x0, dwEraseType=0xc6, bImmediate=0) returned 0x6 [0056.562] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.562] DefineDosDeviceA (dwFlags=0xc6, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.562] GetCurrentThread () returned 0xfffffffe [0056.562] EraseTape (hDevice=0x0, dwEraseType=0xc7, bImmediate=0) returned 0x6 [0056.562] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.562] DefineDosDeviceA (dwFlags=0xc7, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.562] GetCurrentThread () returned 0xfffffffe [0056.562] EraseTape (hDevice=0x0, dwEraseType=0xc8, bImmediate=0) returned 0x6 [0056.562] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.562] DefineDosDeviceA (dwFlags=0xc8, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.562] GetCurrentThread () returned 0xfffffffe [0056.562] EraseTape (hDevice=0x0, dwEraseType=0xc9, bImmediate=0) returned 0x6 [0056.562] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.562] DefineDosDeviceA (dwFlags=0xc9, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.563] GetCurrentThread () returned 0xfffffffe [0056.563] EraseTape (hDevice=0x0, dwEraseType=0xca, bImmediate=0) returned 0x6 [0056.563] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.563] DefineDosDeviceA (dwFlags=0xca, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.563] GetCurrentThread () returned 0xfffffffe [0056.563] EraseTape (hDevice=0x0, dwEraseType=0xcb, bImmediate=0) returned 0x6 [0056.563] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.563] DefineDosDeviceA (dwFlags=0xcb, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.563] GetCurrentThread () returned 0xfffffffe [0056.563] EraseTape (hDevice=0x0, dwEraseType=0xcc, bImmediate=0) returned 0x6 [0056.563] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.563] DefineDosDeviceA (dwFlags=0xcc, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.563] GetCurrentThread () returned 0xfffffffe [0056.563] EraseTape (hDevice=0x0, dwEraseType=0xcd, bImmediate=0) returned 0x6 [0056.563] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.563] DefineDosDeviceA (dwFlags=0xcd, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.563] GetCurrentThread () returned 0xfffffffe [0056.563] EraseTape (hDevice=0x0, dwEraseType=0xce, bImmediate=0) returned 0x6 [0056.563] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.563] DefineDosDeviceA (dwFlags=0xce, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.563] GetCurrentThread () returned 0xfffffffe [0056.563] EraseTape (hDevice=0x0, dwEraseType=0xcf, bImmediate=0) returned 0x6 [0056.563] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.563] DefineDosDeviceA (dwFlags=0xcf, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.563] GetCurrentThread () returned 0xfffffffe [0056.563] EraseTape (hDevice=0x0, dwEraseType=0xd0, bImmediate=0) returned 0x6 [0056.563] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.563] DefineDosDeviceA (dwFlags=0xd0, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.563] GetCurrentThread () returned 0xfffffffe [0056.563] EraseTape (hDevice=0x0, dwEraseType=0xd1, bImmediate=0) returned 0x6 [0056.563] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.563] DefineDosDeviceA (dwFlags=0xd1, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.563] GetCurrentThread () returned 0xfffffffe [0056.563] EraseTape (hDevice=0x0, dwEraseType=0xd2, bImmediate=0) returned 0x6 [0056.563] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.563] DefineDosDeviceA (dwFlags=0xd2, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.563] GetCurrentThread () returned 0xfffffffe [0056.563] EraseTape (hDevice=0x0, dwEraseType=0xd3, bImmediate=0) returned 0x6 [0056.563] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.563] DefineDosDeviceA (dwFlags=0xd3, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.563] GetCurrentThread () returned 0xfffffffe [0056.563] EraseTape (hDevice=0x0, dwEraseType=0xd4, bImmediate=0) returned 0x6 [0056.563] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.563] DefineDosDeviceA (dwFlags=0xd4, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.563] GetCurrentThread () returned 0xfffffffe [0056.563] EraseTape (hDevice=0x0, dwEraseType=0xd5, bImmediate=0) returned 0x6 [0056.564] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.564] DefineDosDeviceA (dwFlags=0xd5, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.564] GetCurrentThread () returned 0xfffffffe [0056.564] EraseTape (hDevice=0x0, dwEraseType=0xd6, bImmediate=0) returned 0x6 [0056.564] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.564] DefineDosDeviceA (dwFlags=0xd6, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.564] GetCurrentThread () returned 0xfffffffe [0056.564] EraseTape (hDevice=0x0, dwEraseType=0xd7, bImmediate=0) returned 0x6 [0056.564] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.564] DefineDosDeviceA (dwFlags=0xd7, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.564] GetCurrentThread () returned 0xfffffffe [0056.564] EraseTape (hDevice=0x0, dwEraseType=0xd8, bImmediate=0) returned 0x6 [0056.564] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.564] DefineDosDeviceA (dwFlags=0xd8, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.564] GetCurrentThread () returned 0xfffffffe [0056.564] EraseTape (hDevice=0x0, dwEraseType=0xd9, bImmediate=0) returned 0x6 [0056.564] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.564] DefineDosDeviceA (dwFlags=0xd9, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.564] GetCurrentThread () returned 0xfffffffe [0056.564] EraseTape (hDevice=0x0, dwEraseType=0xda, bImmediate=0) returned 0x6 [0056.564] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.564] DefineDosDeviceA (dwFlags=0xda, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.564] GetCurrentThread () returned 0xfffffffe [0056.564] EraseTape (hDevice=0x0, dwEraseType=0xdb, bImmediate=0) returned 0x6 [0056.564] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.564] DefineDosDeviceA (dwFlags=0xdb, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.564] GetCurrentThread () returned 0xfffffffe [0056.564] EraseTape (hDevice=0x0, dwEraseType=0xdc, bImmediate=0) returned 0x6 [0056.564] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.564] DefineDosDeviceA (dwFlags=0xdc, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.564] GetCurrentThread () returned 0xfffffffe [0056.564] EraseTape (hDevice=0x0, dwEraseType=0xdd, bImmediate=0) returned 0x6 [0056.567] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.567] DefineDosDeviceA (dwFlags=0xdd, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.567] GetCurrentThread () returned 0xfffffffe [0056.567] EraseTape (hDevice=0x0, dwEraseType=0xde, bImmediate=0) returned 0x6 [0056.567] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.567] DefineDosDeviceA (dwFlags=0xde, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.567] GetCurrentThread () returned 0xfffffffe [0056.567] EraseTape (hDevice=0x0, dwEraseType=0xdf, bImmediate=0) returned 0x6 [0056.567] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.567] DefineDosDeviceA (dwFlags=0xdf, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.567] GetCurrentThread () returned 0xfffffffe [0056.567] EraseTape (hDevice=0x0, dwEraseType=0xe0, bImmediate=0) returned 0x6 [0056.567] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.567] DefineDosDeviceA (dwFlags=0xe0, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.567] GetCurrentThread () returned 0xfffffffe [0056.567] EraseTape (hDevice=0x0, dwEraseType=0xe1, bImmediate=0) returned 0x6 [0056.567] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.567] DefineDosDeviceA (dwFlags=0xe1, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.567] GetCurrentThread () returned 0xfffffffe [0056.567] EraseTape (hDevice=0x0, dwEraseType=0xe2, bImmediate=0) returned 0x6 [0056.567] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.567] DefineDosDeviceA (dwFlags=0xe2, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.567] GetCurrentThread () returned 0xfffffffe [0056.567] EraseTape (hDevice=0x0, dwEraseType=0xe3, bImmediate=0) returned 0x6 [0056.567] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.567] DefineDosDeviceA (dwFlags=0xe3, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.568] GetCurrentThread () returned 0xfffffffe [0056.568] EraseTape (hDevice=0x0, dwEraseType=0xe4, bImmediate=0) returned 0x6 [0056.568] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.568] DefineDosDeviceA (dwFlags=0xe4, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.568] GetCurrentThread () returned 0xfffffffe [0056.568] EraseTape (hDevice=0x0, dwEraseType=0xe5, bImmediate=0) returned 0x6 [0056.568] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.568] DefineDosDeviceA (dwFlags=0xe5, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.568] GetCurrentThread () returned 0xfffffffe [0056.568] EraseTape (hDevice=0x0, dwEraseType=0xe6, bImmediate=0) returned 0x6 [0056.568] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.568] DefineDosDeviceA (dwFlags=0xe6, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.568] GetCurrentThread () returned 0xfffffffe [0056.568] EraseTape (hDevice=0x0, dwEraseType=0xe7, bImmediate=0) returned 0x6 [0056.568] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.568] DefineDosDeviceA (dwFlags=0xe7, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.568] GetCurrentThread () returned 0xfffffffe [0056.568] EraseTape (hDevice=0x0, dwEraseType=0xe8, bImmediate=0) returned 0x6 [0056.568] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.568] DefineDosDeviceA (dwFlags=0xe8, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.568] GetCurrentThread () returned 0xfffffffe [0056.568] EraseTape (hDevice=0x0, dwEraseType=0xe9, bImmediate=0) returned 0x6 [0056.568] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.568] DefineDosDeviceA (dwFlags=0xe9, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.568] GetCurrentThread () returned 0xfffffffe [0056.568] EraseTape (hDevice=0x0, dwEraseType=0xea, bImmediate=0) returned 0x6 [0056.568] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.568] DefineDosDeviceA (dwFlags=0xea, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.568] GetCurrentThread () returned 0xfffffffe [0056.568] EraseTape (hDevice=0x0, dwEraseType=0xeb, bImmediate=0) returned 0x6 [0056.568] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.568] DefineDosDeviceA (dwFlags=0xeb, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.568] GetCurrentThread () returned 0xfffffffe [0056.568] EraseTape (hDevice=0x0, dwEraseType=0xec, bImmediate=0) returned 0x6 [0056.568] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.568] DefineDosDeviceA (dwFlags=0xec, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.568] GetCurrentThread () returned 0xfffffffe [0056.568] EraseTape (hDevice=0x0, dwEraseType=0xed, bImmediate=0) returned 0x6 [0056.568] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.568] DefineDosDeviceA (dwFlags=0xed, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.568] GetCurrentThread () returned 0xfffffffe [0056.568] EraseTape (hDevice=0x0, dwEraseType=0xee, bImmediate=0) returned 0x6 [0056.568] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.569] DefineDosDeviceA (dwFlags=0xee, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.569] GetCurrentThread () returned 0xfffffffe [0056.569] EraseTape (hDevice=0x0, dwEraseType=0xef, bImmediate=0) returned 0x6 [0056.569] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.569] DefineDosDeviceA (dwFlags=0xef, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.569] GetCurrentThread () returned 0xfffffffe [0056.569] EraseTape (hDevice=0x0, dwEraseType=0xf0, bImmediate=0) returned 0x6 [0056.569] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.569] DefineDosDeviceA (dwFlags=0xf0, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.569] GetCurrentThread () returned 0xfffffffe [0056.569] EraseTape (hDevice=0x0, dwEraseType=0xf1, bImmediate=0) returned 0x6 [0056.569] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.569] DefineDosDeviceA (dwFlags=0xf1, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.569] GetCurrentThread () returned 0xfffffffe [0056.569] EraseTape (hDevice=0x0, dwEraseType=0xf2, bImmediate=0) returned 0x6 [0056.569] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.569] DefineDosDeviceA (dwFlags=0xf2, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.569] GetCurrentThread () returned 0xfffffffe [0056.569] EraseTape (hDevice=0x0, dwEraseType=0xf3, bImmediate=0) returned 0x6 [0056.569] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.569] DefineDosDeviceA (dwFlags=0xf3, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.569] GetCurrentThread () returned 0xfffffffe [0056.569] EraseTape (hDevice=0x0, dwEraseType=0xf4, bImmediate=0) returned 0x6 [0056.569] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.569] DefineDosDeviceA (dwFlags=0xf4, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.569] GetCurrentThread () returned 0xfffffffe [0056.569] EraseTape (hDevice=0x0, dwEraseType=0xf5, bImmediate=0) returned 0x6 [0056.569] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.569] DefineDosDeviceA (dwFlags=0xf5, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.569] GetCurrentThread () returned 0xfffffffe [0056.569] EraseTape (hDevice=0x0, dwEraseType=0xf6, bImmediate=0) returned 0x6 [0056.569] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.569] DefineDosDeviceA (dwFlags=0xf6, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.569] GetCurrentThread () returned 0xfffffffe [0056.569] EraseTape (hDevice=0x0, dwEraseType=0xf7, bImmediate=0) returned 0x6 [0056.569] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.569] DefineDosDeviceA (dwFlags=0xf7, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.569] GetCurrentThread () returned 0xfffffffe [0056.569] EraseTape (hDevice=0x0, dwEraseType=0xf8, bImmediate=0) returned 0x6 [0056.569] GlobalDeleteAtom (nAtom=0x0) returned 0x0 [0056.569] DefineDosDeviceA (dwFlags=0xf8, lpDeviceName="1234567890", lpTargetPath="//...//") returned 0 [0056.569] GetCurrentThread () returned 0xfffffffe [0056.570] GetCurrentThread () returned 0xfffffffe [0056.570] GetCurrentThread () returned 0xfffffffe [0056.570] GetCurrentThread () returned 0xfffffffe [0056.570] GetCurrentThread () returned 0xfffffffe [0056.570] GetCurrentThread () returned 0xfffffffe [0056.570] GetCurrentThread () returned 0xfffffffe [0056.570] GetCurrentThread () returned 0xfffffffe [0056.570] GetCurrentThread () returned 0xfffffffe [0057.642] GetACP () returned 0x4e4 [0057.642] Sleep (dwMilliseconds=0x1388) [0062.658] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0062.662] lstrcpyW (in: lpString1=0x19f5b4, lpString2="zoolz.exe" | out: lpString1="zoolz.exe") returned="zoolz.exe" [0062.662] lstrlenW (lpString="zoolz.exe") returned 9 [0062.663] CharUpperBuffW (in: lpsz="zoolz.exe", cchLength=0x9 | out: lpsz="ZOOLZ.EXE") returned 0x9 [0062.663] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0062.663] lstrcpyW (in: lpString1=0x19f3ac, lpString2="[System Process]" | out: lpString1="[System Process]") returned="[System Process]" [0062.663] lstrlenW (lpString="[System Process]") returned 16 [0062.663] CharUpperBuffW (in: lpsz="[System Process]", cchLength=0x10 | out: lpsz="[SYSTEM PROCESS]") returned 0x10 [0062.663] lstrcmpW (lpString1="[SYSTEM PROCESS]", lpString2="ZOOLZ.EXE") returned -1 [0062.665] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x69, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0062.666] lstrcpyW (in: lpString1=0x19f3ac, lpString2="System" | out: lpString1="System") returned="System" [0062.666] lstrlenW (lpString="System") returned 6 [0062.666] CharUpperBuffW (in: lpsz="System", cchLength=0x6 | out: lpsz="SYSTEM") returned 0x6 [0062.666] lstrcmpW (lpString1="SYSTEM", lpString2="ZOOLZ.EXE") returned -1 [0062.666] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0062.667] lstrcpyW (in: lpString1=0x19f3ac, lpString2="smss.exe" | out: lpString1="smss.exe") returned="smss.exe" [0062.667] lstrlenW (lpString="smss.exe") returned 8 [0062.667] CharUpperBuffW (in: lpsz="smss.exe", cchLength=0x8 | out: lpsz="SMSS.EXE") returned 0x8 [0062.667] lstrcmpW (lpString1="SMSS.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.667] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x154, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0062.667] lstrcpyW (in: lpString1=0x19f3ac, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0062.668] lstrlenW (lpString="csrss.exe") returned 9 [0062.668] CharUpperBuffW (in: lpsz="csrss.exe", cchLength=0x9 | out: lpsz="CSRSS.EXE") returned 0x9 [0062.668] lstrcmpW (lpString1="CSRSS.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.668] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0062.668] lstrcpyW (in: lpString1=0x19f3ac, lpString2="wininit.exe" | out: lpString1="wininit.exe") returned="wininit.exe" [0062.668] lstrlenW (lpString="wininit.exe") returned 11 [0062.668] CharUpperBuffW (in: lpsz="wininit.exe", cchLength=0xb | out: lpsz="WININIT.EXE") returned 0xb [0062.668] lstrcmpW (lpString1="WININIT.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.668] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0062.669] lstrcpyW (in: lpString1=0x19f3ac, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0062.669] lstrlenW (lpString="csrss.exe") returned 9 [0062.669] CharUpperBuffW (in: lpsz="csrss.exe", cchLength=0x9 | out: lpsz="CSRSS.EXE") returned 0x9 [0062.669] lstrcmpW (lpString1="CSRSS.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.669] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0062.670] lstrcpyW (in: lpString1=0x19f3ac, lpString2="winlogon.exe" | out: lpString1="winlogon.exe") returned="winlogon.exe" [0062.670] lstrlenW (lpString="winlogon.exe") returned 12 [0062.670] CharUpperBuffW (in: lpsz="winlogon.exe", cchLength=0xc | out: lpsz="WINLOGON.EXE") returned 0xc [0062.670] lstrcmpW (lpString1="WINLOGON.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.670] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0062.670] lstrcpyW (in: lpString1=0x19f3ac, lpString2="services.exe" | out: lpString1="services.exe") returned="services.exe" [0062.670] lstrlenW (lpString="services.exe") returned 12 [0062.670] CharUpperBuffW (in: lpsz="services.exe", cchLength=0xc | out: lpsz="SERVICES.EXE") returned 0xc [0062.670] lstrcmpW (lpString1="SERVICES.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.670] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0062.671] lstrcpyW (in: lpString1=0x19f3ac, lpString2="lsass.exe" | out: lpString1="lsass.exe") returned="lsass.exe" [0062.671] lstrlenW (lpString="lsass.exe") returned 9 [0062.671] CharUpperBuffW (in: lpsz="lsass.exe", cchLength=0x9 | out: lpsz="LSASS.EXE") returned 0x9 [0062.671] lstrcmpW (lpString1="LSASS.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.671] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.672] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.672] lstrlenW (lpString="svchost.exe") returned 11 [0062.672] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.672] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.672] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.672] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.672] lstrlenW (lpString="svchost.exe") returned 11 [0062.672] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.672] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.672] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1cc, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0062.673] lstrcpyW (in: lpString1=0x19f3ac, lpString2="dwm.exe" | out: lpString1="dwm.exe") returned="dwm.exe" [0062.673] lstrlenW (lpString="dwm.exe") returned 7 [0062.673] CharUpperBuffW (in: lpsz="dwm.exe", cchLength=0x7 | out: lpsz="DWM.EXE") returned 0x7 [0062.673] lstrcmpW (lpString1="DWM.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.673] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.674] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.674] lstrlenW (lpString="svchost.exe") returned 11 [0062.674] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.674] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.674] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.674] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.674] lstrlenW (lpString="svchost.exe") returned 11 [0062.674] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.674] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.674] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.675] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.675] lstrlenW (lpString="svchost.exe") returned 11 [0062.675] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.675] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.675] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.675] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.675] lstrlenW (lpString="svchost.exe") returned 11 [0062.675] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.675] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.675] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x398, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.676] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.676] lstrlenW (lpString="svchost.exe") returned 11 [0062.676] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.676] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.676] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.677] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.677] lstrlenW (lpString="svchost.exe") returned 11 [0062.677] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.677] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.677] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0062.677] lstrcpyW (in: lpString1=0x19f3ac, lpString2="spoolsv.exe" | out: lpString1="spoolsv.exe") returned="spoolsv.exe" [0062.677] lstrlenW (lpString="spoolsv.exe") returned 11 [0062.677] CharUpperBuffW (in: lpsz="spoolsv.exe", cchLength=0xb | out: lpsz="SPOOLSV.EXE") returned 0xb [0062.677] lstrcmpW (lpString1="SPOOLSV.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.678] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.678] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.678] lstrlenW (lpString="svchost.exe") returned 11 [0062.678] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.678] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.678] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.679] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.679] lstrlenW (lpString="svchost.exe") returned 11 [0062.679] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.679] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.679] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0062.679] lstrcpyW (in: lpString1=0x19f3ac, lpString2="OfficeClickToRun.exe" | out: lpString1="OfficeClickToRun.exe") returned="OfficeClickToRun.exe" [0062.679] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0062.679] CharUpperBuffW (in: lpsz="OfficeClickToRun.exe", cchLength=0x14 | out: lpsz="OFFICECLICKTORUN.EXE") returned 0x14 [0062.679] lstrcmpW (lpString1="OFFICECLICKTORUN.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.679] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x678, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.680] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.680] lstrlenW (lpString="svchost.exe") returned 11 [0062.680] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.680] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.680] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x704, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0062.681] lstrcpyW (in: lpString1=0x19f3ac, lpString2="sihost.exe" | out: lpString1="sihost.exe") returned="sihost.exe" [0062.681] lstrlenW (lpString="sihost.exe") returned 10 [0062.681] CharUpperBuffW (in: lpsz="sihost.exe", cchLength=0xa | out: lpsz="SIHOST.EXE") returned 0xa [0062.681] lstrcmpW (lpString1="SIHOST.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.681] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x77c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0062.681] lstrcpyW (in: lpString1=0x19f3ac, lpString2="taskhostw.exe" | out: lpString1="taskhostw.exe") returned="taskhostw.exe" [0062.681] lstrlenW (lpString="taskhostw.exe") returned 13 [0062.681] CharUpperBuffW (in: lpsz="taskhostw.exe", cchLength=0xd | out: lpsz="TASKHOSTW.EXE") returned 0xd [0062.681] lstrcmpW (lpString1="TASKHOSTW.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.681] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x38, th32ParentProcessID=0x4c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0062.682] lstrcpyW (in: lpString1=0x19f3ac, lpString2="explorer.exe" | out: lpString1="explorer.exe") returned="explorer.exe" [0062.682] lstrlenW (lpString="explorer.exe") returned 12 [0062.682] CharUpperBuffW (in: lpsz="explorer.exe", cchLength=0xc | out: lpsz="EXPLORER.EXE") returned 0xc [0062.682] lstrcmpW (lpString1="EXPLORER.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.682] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0062.683] lstrcpyW (in: lpString1=0x19f3ac, lpString2="RuntimeBroker.exe" | out: lpString1="RuntimeBroker.exe") returned="RuntimeBroker.exe" [0062.683] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0062.683] CharUpperBuffW (in: lpsz="RuntimeBroker.exe", cchLength=0x11 | out: lpsz="RUNTIMEBROKER.EXE") returned 0x11 [0062.683] lstrcmpW (lpString1="RUNTIMEBROKER.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.683] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2c, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0062.683] lstrcpyW (in: lpString1=0x19f3ac, lpString2="ShellExperienceHost.exe" | out: lpString1="ShellExperienceHost.exe") returned="ShellExperienceHost.exe" [0062.683] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0062.684] CharUpperBuffW (in: lpsz="ShellExperienceHost.exe", cchLength=0x17 | out: lpsz="SHELLEXPERIENCEHOST.EXE") returned 0x17 [0062.684] lstrcmpW (lpString1="SHELLEXPERIENCEHOST.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.684] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0062.684] lstrcpyW (in: lpString1=0x19f3ac, lpString2="SearchUI.exe" | out: lpString1="SearchUI.exe") returned="SearchUI.exe" [0062.684] lstrlenW (lpString="SearchUI.exe") returned 12 [0062.684] CharUpperBuffW (in: lpsz="SearchUI.exe", cchLength=0xc | out: lpsz="SEARCHUI.EXE") returned 0xc [0062.684] lstrcmpW (lpString1="SEARCHUI.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.684] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0062.685] lstrcpyW (in: lpString1=0x19f3ac, lpString2="backgroundTaskHost.exe" | out: lpString1="backgroundTaskHost.exe") returned="backgroundTaskHost.exe" [0062.685] lstrlenW (lpString="backgroundTaskHost.exe") returned 22 [0062.685] CharUpperBuffW (in: lpsz="backgroundTaskHost.exe", cchLength=0x16 | out: lpsz="BACKGROUNDTASKHOST.EXE") returned 0x16 [0062.685] lstrcmpW (lpString1="BACKGROUNDTASKHOST.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.685] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0062.685] lstrcpyW (in: lpString1=0x19f3ac, lpString2="backgroundTaskHost.exe" | out: lpString1="backgroundTaskHost.exe") returned="backgroundTaskHost.exe" [0062.685] lstrlenW (lpString="backgroundTaskHost.exe") returned 22 [0062.685] CharUpperBuffW (in: lpsz="backgroundTaskHost.exe", cchLength=0x16 | out: lpsz="BACKGROUNDTASKHOST.EXE") returned 0x16 [0062.686] lstrcmpW (lpString1="BACKGROUNDTASKHOST.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.686] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="commandsxeroxrelationship.exe")) returned 1 [0062.686] lstrcpyW (in: lpString1=0x19f3ac, lpString2="commandsxeroxrelationship.exe" | out: lpString1="commandsxeroxrelationship.exe") returned="commandsxeroxrelationship.exe" [0062.686] lstrlenW (lpString="commandsxeroxrelationship.exe") returned 29 [0062.686] CharUpperBuffW (in: lpsz="commandsxeroxrelationship.exe", cchLength=0x1d | out: lpsz="COMMANDSXEROXRELATIONSHIP.EXE") returned 0x1d [0062.686] lstrcmpW (lpString1="COMMANDSXEROXRELATIONSHIP.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.686] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="terminal recorder.exe")) returned 1 [0062.687] lstrcpyW (in: lpString1=0x19f3ac, lpString2="terminal recorder.exe" | out: lpString1="terminal recorder.exe") returned="terminal recorder.exe" [0062.687] lstrlenW (lpString="terminal recorder.exe") returned 21 [0062.687] CharUpperBuffW (in: lpsz="terminal recorder.exe", cchLength=0x15 | out: lpsz="TERMINAL RECORDER.EXE") returned 0x15 [0062.687] lstrcmpW (lpString1="TERMINAL RECORDER.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.687] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explaining.exe")) returned 1 [0062.687] lstrcpyW (in: lpString1=0x19f3ac, lpString2="explaining.exe" | out: lpString1="explaining.exe") returned="explaining.exe" [0062.687] lstrlenW (lpString="explaining.exe") returned 14 [0062.687] CharUpperBuffW (in: lpsz="explaining.exe", cchLength=0xe | out: lpsz="EXPLAINING.EXE") returned 0xe [0062.687] lstrcmpW (lpString1="EXPLAINING.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.687] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ham.exe")) returned 1 [0062.688] lstrcpyW (in: lpString1=0x19f3ac, lpString2="ham.exe" | out: lpString1="ham.exe") returned="ham.exe" [0062.688] lstrlenW (lpString="ham.exe") returned 7 [0062.688] CharUpperBuffW (in: lpsz="ham.exe", cchLength=0x7 | out: lpsz="HAM.EXE") returned 0x7 [0062.688] lstrcmpW (lpString1="HAM.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.688] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x264, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="controllers_producing_shoe.exe")) returned 1 [0062.688] lstrcpyW (in: lpString1=0x19f3ac, lpString2="controllers_producing_shoe.exe" | out: lpString1="controllers_producing_shoe.exe") returned="controllers_producing_shoe.exe" [0062.688] lstrlenW (lpString="controllers_producing_shoe.exe") returned 30 [0062.688] CharUpperBuffW (in: lpsz="controllers_producing_shoe.exe", cchLength=0x1e | out: lpsz="CONTROLLERS_PRODUCING_SHOE.EXE") returned 0x1e [0062.689] lstrcmpW (lpString1="CONTROLLERS_PRODUCING_SHOE.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.689] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x710, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="recommendation-jack-accepting.exe")) returned 1 [0062.689] lstrcpyW (in: lpString1=0x19f3ac, lpString2="recommendation-jack-accepting.exe" | out: lpString1="recommendation-jack-accepting.exe") returned="recommendation-jack-accepting.exe" [0062.689] lstrlenW (lpString="recommendation-jack-accepting.exe") returned 33 [0062.689] CharUpperBuffW (in: lpsz="recommendation-jack-accepting.exe", cchLength=0x21 | out: lpsz="RECOMMENDATION-JACK-ACCEPTING.EXE") returned 0x21 [0062.689] lstrcmpW (lpString1="RECOMMENDATION-JACK-ACCEPTING.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.689] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vbles.exe")) returned 1 [0062.690] lstrcpyW (in: lpString1=0x19f3ac, lpString2="vbles.exe" | out: lpString1="vbles.exe") returned="vbles.exe" [0062.690] lstrlenW (lpString="vbles.exe") returned 9 [0062.690] CharUpperBuffW (in: lpsz="vbles.exe", cchLength=0x9 | out: lpsz="VBLES.EXE") returned 0x9 [0062.690] lstrcmpW (lpString1="VBLES.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.690] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xadc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="hazardsbusinessacrobat.exe")) returned 1 [0062.690] lstrcpyW (in: lpString1=0x19f3ac, lpString2="hazardsbusinessacrobat.exe" | out: lpString1="hazardsbusinessacrobat.exe") returned="hazardsbusinessacrobat.exe" [0062.690] lstrlenW (lpString="hazardsbusinessacrobat.exe") returned 26 [0062.690] CharUpperBuffW (in: lpsz="hazardsbusinessacrobat.exe", cchLength=0x1a | out: lpsz="HAZARDSBUSINESSACROBAT.EXE") returned 0x1a [0062.690] lstrcmpW (lpString1="HAZARDSBUSINESSACROBAT.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.690] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="needs-radar-underground.exe")) returned 1 [0062.691] lstrcpyW (in: lpString1=0x19f3ac, lpString2="needs-radar-underground.exe" | out: lpString1="needs-radar-underground.exe") returned="needs-radar-underground.exe" [0062.691] lstrlenW (lpString="needs-radar-underground.exe") returned 27 [0062.691] CharUpperBuffW (in: lpsz="needs-radar-underground.exe", cchLength=0x1b | out: lpsz="NEEDS-RADAR-UNDERGROUND.EXE") returned 0x1b [0062.691] lstrcmpW (lpString1="NEEDS-RADAR-UNDERGROUND.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.691] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="inventory.exe")) returned 1 [0062.691] lstrcpyW (in: lpString1=0x19f3ac, lpString2="inventory.exe" | out: lpString1="inventory.exe") returned="inventory.exe" [0062.691] lstrlenW (lpString="inventory.exe") returned 13 [0062.692] CharUpperBuffW (in: lpsz="inventory.exe", cchLength=0xd | out: lpsz="INVENTORY.EXE") returned 0xd [0062.692] lstrcmpW (lpString1="INVENTORY.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.692] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="castle.exe")) returned 1 [0062.692] lstrcpyW (in: lpString1=0x19f3ac, lpString2="castle.exe" | out: lpString1="castle.exe") returned="castle.exe" [0062.692] lstrlenW (lpString="castle.exe") returned 10 [0062.692] CharUpperBuffW (in: lpsz="castle.exe", cchLength=0xa | out: lpsz="CASTLE.EXE") returned 0xa [0062.692] lstrcmpW (lpString1="CASTLE.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.692] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="decorative_wit_bikes.exe")) returned 1 [0062.693] lstrcpyW (in: lpString1=0x19f3ac, lpString2="decorative_wit_bikes.exe" | out: lpString1="decorative_wit_bikes.exe") returned="decorative_wit_bikes.exe" [0062.693] lstrlenW (lpString="decorative_wit_bikes.exe") returned 24 [0062.693] CharUpperBuffW (in: lpsz="decorative_wit_bikes.exe", cchLength=0x18 | out: lpsz="DECORATIVE_WIT_BIKES.EXE") returned 0x18 [0062.693] lstrcmpW (lpString1="DECORATIVE_WIT_BIKES.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.693] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pipes reaches processing.exe")) returned 1 [0062.693] lstrcpyW (in: lpString1=0x19f3ac, lpString2="pipes reaches processing.exe" | out: lpString1="pipes reaches processing.exe") returned="pipes reaches processing.exe" [0062.693] lstrlenW (lpString="pipes reaches processing.exe") returned 28 [0062.693] CharUpperBuffW (in: lpsz="pipes reaches processing.exe", cchLength=0x1c | out: lpsz="PIPES REACHES PROCESSING.EXE") returned 0x1c [0062.693] lstrcmpW (lpString1="PIPES REACHES PROCESSING.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.693] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x948, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="regulatory_chevy.exe")) returned 1 [0062.694] lstrcpyW (in: lpString1=0x19f3ac, lpString2="regulatory_chevy.exe" | out: lpString1="regulatory_chevy.exe") returned="regulatory_chevy.exe" [0062.694] lstrlenW (lpString="regulatory_chevy.exe") returned 20 [0062.694] CharUpperBuffW (in: lpsz="regulatory_chevy.exe", cchLength=0x14 | out: lpsz="REGULATORY_CHEVY.EXE") returned 0x14 [0062.694] lstrcmpW (lpString1="REGULATORY_CHEVY.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.694] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="baseball.exe")) returned 1 [0062.694] lstrcpyW (in: lpString1=0x19f3ac, lpString2="baseball.exe" | out: lpString1="baseball.exe") returned="baseball.exe" [0062.694] lstrlenW (lpString="baseball.exe") returned 12 [0062.694] CharUpperBuffW (in: lpsz="baseball.exe", cchLength=0xc | out: lpsz="BASEBALL.EXE") returned 0xc [0062.694] lstrcmpW (lpString1="BASEBALL.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.695] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="beginners.exe")) returned 1 [0062.695] lstrcpyW (in: lpString1=0x19f3ac, lpString2="beginners.exe" | out: lpString1="beginners.exe") returned="beginners.exe" [0062.695] lstrlenW (lpString="beginners.exe") returned 13 [0062.695] CharUpperBuffW (in: lpsz="beginners.exe", cchLength=0xd | out: lpsz="BEGINNERS.EXE") returned 0xd [0062.695] lstrcmpW (lpString1="BEGINNERS.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.695] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x63c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tank-specialties-facial.exe")) returned 1 [0062.696] lstrcpyW (in: lpString1=0x19f3ac, lpString2="tank-specialties-facial.exe" | out: lpString1="tank-specialties-facial.exe") returned="tank-specialties-facial.exe" [0062.696] lstrlenW (lpString="tank-specialties-facial.exe") returned 27 [0062.696] CharUpperBuffW (in: lpsz="tank-specialties-facial.exe", cchLength=0x1b | out: lpsz="TANK-SPECIALTIES-FACIAL.EXE") returned 0x1b [0062.696] lstrcmpW (lpString1="TANK-SPECIALTIES-FACIAL.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.696] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="korea.exe")) returned 1 [0062.696] lstrcpyW (in: lpString1=0x19f3ac, lpString2="korea.exe" | out: lpString1="korea.exe") returned="korea.exe" [0062.696] lstrlenW (lpString="korea.exe") returned 9 [0062.696] CharUpperBuffW (in: lpsz="korea.exe", cchLength=0x9 | out: lpsz="KOREA.EXE") returned 0x9 [0062.696] lstrcmpW (lpString1="KOREA.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.696] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="article_unusual.exe")) returned 1 [0062.697] lstrcpyW (in: lpString1=0x19f3ac, lpString2="article_unusual.exe" | out: lpString1="article_unusual.exe") returned="article_unusual.exe" [0062.697] lstrlenW (lpString="article_unusual.exe") returned 19 [0062.697] CharUpperBuffW (in: lpsz="article_unusual.exe", cchLength=0x13 | out: lpsz="ARTICLE_UNUSUAL.EXE") returned 0x13 [0062.697] lstrcmpW (lpString1="ARTICLE_UNUSUAL.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.697] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tokyo.exe")) returned 1 [0062.698] lstrcpyW (in: lpString1=0x19f3ac, lpString2="tokyo.exe" | out: lpString1="tokyo.exe") returned="tokyo.exe" [0062.698] lstrlenW (lpString="tokyo.exe") returned 9 [0062.698] CharUpperBuffW (in: lpsz="tokyo.exe", cchLength=0x9 | out: lpsz="TOKYO.EXE") returned 0x9 [0062.698] lstrcmpW (lpString1="TOKYO.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.698] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0062.699] lstrcpyW (in: lpString1=0x19f3ac, lpString2="audiodg.exe" | out: lpString1="audiodg.exe") returned="audiodg.exe" [0062.699] lstrlenW (lpString="audiodg.exe") returned 11 [0062.699] CharUpperBuffW (in: lpsz="audiodg.exe", cchLength=0xb | out: lpsz="AUDIODG.EXE") returned 0xb [0062.699] lstrcmpW (lpString1="AUDIODG.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.699] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tcpsov.exe")) returned 1 [0062.699] lstrcpyW (in: lpString1=0x19f3ac, lpString2="tcpsov.exe" | out: lpString1="tcpsov.exe") returned="tcpsov.exe" [0062.699] lstrlenW (lpString="tcpsov.exe") returned 10 [0062.699] CharUpperBuffW (in: lpsz="tcpsov.exe", cchLength=0xa | out: lpsz="TCPSOV.EXE") returned 0xa [0062.699] lstrcmpW (lpString1="TCPSOV.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.699] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0062.700] lstrcpyW (in: lpString1=0x19f3ac, lpString2="dllhost.exe" | out: lpString1="dllhost.exe") returned="dllhost.exe" [0062.700] lstrlenW (lpString="dllhost.exe") returned 11 [0062.700] CharUpperBuffW (in: lpsz="dllhost.exe", cchLength=0xb | out: lpsz="DLLHOST.EXE") returned 0xb [0062.700] lstrcmpW (lpString1="DLLHOST.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.700] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.701] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.701] lstrlenW (lpString="svchost.exe") returned 11 [0062.701] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.701] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="ZOOLZ.EXE") returned -1 [0062.701] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0062.701] CloseHandle (hObject=0x18c) returned 1 [0062.701] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0062.704] lstrcpyW (in: lpString1=0x19f5b4, lpString2="mysqld-nt.exe" | out: lpString1="mysqld-nt.exe") returned="mysqld-nt.exe" [0062.704] lstrlenW (lpString="mysqld-nt.exe") returned 13 [0062.704] CharUpperBuffW (in: lpsz="mysqld-nt.exe", cchLength=0xd | out: lpsz="MYSQLD-NT.EXE") returned 0xd [0062.704] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0062.705] lstrcpyW (in: lpString1=0x19f3ac, lpString2="[System Process]" | out: lpString1="[System Process]") returned="[System Process]" [0062.705] lstrlenW (lpString="[System Process]") returned 16 [0062.705] CharUpperBuffW (in: lpsz="[System Process]", cchLength=0x10 | out: lpsz="[SYSTEM PROCESS]") returned 0x10 [0062.705] lstrcmpW (lpString1="[SYSTEM PROCESS]", lpString2="MYSQLD-NT.EXE") returned -1 [0062.705] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x69, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0062.706] lstrcpyW (in: lpString1=0x19f3ac, lpString2="System" | out: lpString1="System") returned="System" [0062.706] lstrlenW (lpString="System") returned 6 [0062.706] CharUpperBuffW (in: lpsz="System", cchLength=0x6 | out: lpsz="SYSTEM") returned 0x6 [0062.706] lstrcmpW (lpString1="SYSTEM", lpString2="MYSQLD-NT.EXE") returned 1 [0062.706] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0062.706] lstrcpyW (in: lpString1=0x19f3ac, lpString2="smss.exe" | out: lpString1="smss.exe") returned="smss.exe" [0062.706] lstrlenW (lpString="smss.exe") returned 8 [0062.706] CharUpperBuffW (in: lpsz="smss.exe", cchLength=0x8 | out: lpsz="SMSS.EXE") returned 0x8 [0062.706] lstrcmpW (lpString1="SMSS.EXE", lpString2="MYSQLD-NT.EXE") returned 1 [0062.706] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x154, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0062.707] lstrcpyW (in: lpString1=0x19f3ac, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0062.707] lstrlenW (lpString="csrss.exe") returned 9 [0062.707] CharUpperBuffW (in: lpsz="csrss.exe", cchLength=0x9 | out: lpsz="CSRSS.EXE") returned 0x9 [0062.707] lstrcmpW (lpString1="CSRSS.EXE", lpString2="MYSQLD-NT.EXE") returned -1 [0062.707] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0062.707] lstrcpyW (in: lpString1=0x19f3ac, lpString2="wininit.exe" | out: lpString1="wininit.exe") returned="wininit.exe" [0062.707] lstrlenW (lpString="wininit.exe") returned 11 [0062.707] CharUpperBuffW (in: lpsz="wininit.exe", cchLength=0xb | out: lpsz="WININIT.EXE") returned 0xb [0062.707] lstrcmpW (lpString1="WININIT.EXE", lpString2="MYSQLD-NT.EXE") returned 1 [0062.707] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0062.708] lstrcpyW (in: lpString1=0x19f3ac, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0062.708] lstrlenW (lpString="csrss.exe") returned 9 [0062.708] CharUpperBuffW (in: lpsz="csrss.exe", cchLength=0x9 | out: lpsz="CSRSS.EXE") returned 0x9 [0062.708] lstrcmpW (lpString1="CSRSS.EXE", lpString2="MYSQLD-NT.EXE") returned -1 [0062.708] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0062.709] lstrcpyW (in: lpString1=0x19f3ac, lpString2="winlogon.exe" | out: lpString1="winlogon.exe") returned="winlogon.exe" [0062.709] lstrlenW (lpString="winlogon.exe") returned 12 [0062.709] CharUpperBuffW (in: lpsz="winlogon.exe", cchLength=0xc | out: lpsz="WINLOGON.EXE") returned 0xc [0062.709] lstrcmpW (lpString1="WINLOGON.EXE", lpString2="MYSQLD-NT.EXE") returned 1 [0062.709] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0062.709] lstrcpyW (in: lpString1=0x19f3ac, lpString2="services.exe" | out: lpString1="services.exe") returned="services.exe" [0062.709] lstrlenW (lpString="services.exe") returned 12 [0062.709] CharUpperBuffW (in: lpsz="services.exe", cchLength=0xc | out: lpsz="SERVICES.EXE") returned 0xc [0062.709] lstrcmpW (lpString1="SERVICES.EXE", lpString2="MYSQLD-NT.EXE") returned 1 [0062.709] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0062.710] lstrcpyW (in: lpString1=0x19f3ac, lpString2="lsass.exe" | out: lpString1="lsass.exe") returned="lsass.exe" [0062.710] lstrlenW (lpString="lsass.exe") returned 9 [0062.710] CharUpperBuffW (in: lpsz="lsass.exe", cchLength=0x9 | out: lpsz="LSASS.EXE") returned 0x9 [0062.710] lstrcmpW (lpString1="LSASS.EXE", lpString2="MYSQLD-NT.EXE") returned -1 [0062.710] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.711] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.711] lstrlenW (lpString="svchost.exe") returned 11 [0062.711] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.711] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="MYSQLD-NT.EXE") returned 1 [0062.711] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.711] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.711] lstrlenW (lpString="svchost.exe") returned 11 [0062.711] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.711] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="MYSQLD-NT.EXE") returned 1 [0062.711] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1cc, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0062.712] lstrcpyW (in: lpString1=0x19f3ac, lpString2="dwm.exe" | out: lpString1="dwm.exe") returned="dwm.exe" [0062.712] lstrlenW (lpString="dwm.exe") returned 7 [0062.712] CharUpperBuffW (in: lpsz="dwm.exe", cchLength=0x7 | out: lpsz="DWM.EXE") returned 0x7 [0062.712] lstrcmpW (lpString1="DWM.EXE", lpString2="MYSQLD-NT.EXE") returned -1 [0062.712] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.713] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.713] lstrlenW (lpString="svchost.exe") returned 11 [0062.713] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.713] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="MYSQLD-NT.EXE") returned 1 [0062.713] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.714] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.714] lstrlenW (lpString="svchost.exe") returned 11 [0062.714] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.714] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="MYSQLD-NT.EXE") returned 1 [0062.714] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.715] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.715] lstrlenW (lpString="svchost.exe") returned 11 [0062.715] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.715] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="MYSQLD-NT.EXE") returned 1 [0062.715] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.715] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.716] lstrlenW (lpString="svchost.exe") returned 11 [0062.716] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.716] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="MYSQLD-NT.EXE") returned 1 [0062.716] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x398, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.716] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.716] lstrlenW (lpString="svchost.exe") returned 11 [0062.716] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.716] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="MYSQLD-NT.EXE") returned 1 [0062.716] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.717] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.717] lstrlenW (lpString="svchost.exe") returned 11 [0062.717] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.717] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="MYSQLD-NT.EXE") returned 1 [0062.717] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0062.718] lstrcpyW (in: lpString1=0x19f3ac, lpString2="spoolsv.exe" | out: lpString1="spoolsv.exe") returned="spoolsv.exe" [0062.718] lstrlenW (lpString="spoolsv.exe") returned 11 [0062.718] CharUpperBuffW (in: lpsz="spoolsv.exe", cchLength=0xb | out: lpsz="SPOOLSV.EXE") returned 0xb [0062.718] lstrcmpW (lpString1="SPOOLSV.EXE", lpString2="MYSQLD-NT.EXE") returned 1 [0062.718] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.718] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.718] lstrlenW (lpString="svchost.exe") returned 11 [0062.718] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.718] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="MYSQLD-NT.EXE") returned 1 [0062.718] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.719] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.719] lstrlenW (lpString="svchost.exe") returned 11 [0062.719] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.719] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="MYSQLD-NT.EXE") returned 1 [0062.719] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0062.720] lstrcpyW (in: lpString1=0x19f3ac, lpString2="OfficeClickToRun.exe" | out: lpString1="OfficeClickToRun.exe") returned="OfficeClickToRun.exe" [0062.720] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0062.720] CharUpperBuffW (in: lpsz="OfficeClickToRun.exe", cchLength=0x14 | out: lpsz="OFFICECLICKTORUN.EXE") returned 0x14 [0062.720] lstrcmpW (lpString1="OFFICECLICKTORUN.EXE", lpString2="MYSQLD-NT.EXE") returned 1 [0062.720] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x678, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.720] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.720] lstrlenW (lpString="svchost.exe") returned 11 [0062.720] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.720] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="MYSQLD-NT.EXE") returned 1 [0062.720] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x704, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0062.721] lstrcpyW (in: lpString1=0x19f3ac, lpString2="sihost.exe" | out: lpString1="sihost.exe") returned="sihost.exe" [0062.721] lstrlenW (lpString="sihost.exe") returned 10 [0062.721] CharUpperBuffW (in: lpsz="sihost.exe", cchLength=0xa | out: lpsz="SIHOST.EXE") returned 0xa [0062.721] lstrcmpW (lpString1="SIHOST.EXE", lpString2="MYSQLD-NT.EXE") returned 1 [0062.721] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x77c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0062.721] lstrcpyW (in: lpString1=0x19f3ac, lpString2="taskhostw.exe" | out: lpString1="taskhostw.exe") returned="taskhostw.exe" [0062.721] lstrlenW (lpString="taskhostw.exe") returned 13 [0062.721] CharUpperBuffW (in: lpsz="taskhostw.exe", cchLength=0xd | out: lpsz="TASKHOSTW.EXE") returned 0xd [0062.721] lstrcmpW (lpString1="TASKHOSTW.EXE", lpString2="MYSQLD-NT.EXE") returned 1 [0062.721] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x38, th32ParentProcessID=0x4c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0062.722] lstrcpyW (in: lpString1=0x19f3ac, lpString2="explorer.exe" | out: lpString1="explorer.exe") returned="explorer.exe" [0062.722] lstrlenW (lpString="explorer.exe") returned 12 [0062.722] CharUpperBuffW (in: lpsz="explorer.exe", cchLength=0xc | out: lpsz="EXPLORER.EXE") returned 0xc [0062.722] lstrcmpW (lpString1="EXPLORER.EXE", lpString2="MYSQLD-NT.EXE") returned -1 [0062.722] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0062.723] lstrcpyW (in: lpString1=0x19f3ac, lpString2="RuntimeBroker.exe" | out: lpString1="RuntimeBroker.exe") returned="RuntimeBroker.exe" [0062.723] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0062.723] CharUpperBuffW (in: lpsz="RuntimeBroker.exe", cchLength=0x11 | out: lpsz="RUNTIMEBROKER.EXE") returned 0x11 [0062.723] lstrcmpW (lpString1="RUNTIMEBROKER.EXE", lpString2="MYSQLD-NT.EXE") returned 1 [0062.723] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2c, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0062.723] lstrcpyW (in: lpString1=0x19f3ac, lpString2="ShellExperienceHost.exe" | out: lpString1="ShellExperienceHost.exe") returned="ShellExperienceHost.exe" [0062.723] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0062.723] CharUpperBuffW (in: lpsz="ShellExperienceHost.exe", cchLength=0x17 | out: lpsz="SHELLEXPERIENCEHOST.EXE") returned 0x17 [0062.723] lstrcmpW (lpString1="SHELLEXPERIENCEHOST.EXE", lpString2="MYSQLD-NT.EXE") returned 1 [0062.723] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0062.724] lstrcpyW (in: lpString1=0x19f3ac, lpString2="SearchUI.exe" | out: lpString1="SearchUI.exe") returned="SearchUI.exe" [0062.724] lstrlenW (lpString="SearchUI.exe") returned 12 [0062.724] CharUpperBuffW (in: lpsz="SearchUI.exe", cchLength=0xc | out: lpsz="SEARCHUI.EXE") returned 0xc [0062.724] lstrcmpW (lpString1="SEARCHUI.EXE", lpString2="MYSQLD-NT.EXE") returned 1 [0062.724] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0062.725] lstrcpyW (in: lpString1=0x19f3ac, lpString2="backgroundTaskHost.exe" | out: lpString1="backgroundTaskHost.exe") returned="backgroundTaskHost.exe" [0062.725] lstrlenW (lpString="backgroundTaskHost.exe") returned 22 [0062.725] CharUpperBuffW (in: lpsz="backgroundTaskHost.exe", cchLength=0x16 | out: lpsz="BACKGROUNDTASKHOST.EXE") returned 0x16 [0062.725] lstrcmpW (lpString1="BACKGROUNDTASKHOST.EXE", lpString2="MYSQLD-NT.EXE") returned -1 [0062.725] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0062.725] lstrcpyW (in: lpString1=0x19f3ac, lpString2="backgroundTaskHost.exe" | out: lpString1="backgroundTaskHost.exe") returned="backgroundTaskHost.exe" [0062.725] lstrlenW (lpString="backgroundTaskHost.exe") returned 22 [0062.725] CharUpperBuffW (in: lpsz="backgroundTaskHost.exe", cchLength=0x16 | out: lpsz="BACKGROUNDTASKHOST.EXE") returned 0x16 [0062.725] lstrcmpW (lpString1="BACKGROUNDTASKHOST.EXE", lpString2="MYSQLD-NT.EXE") returned -1 [0062.725] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="commandsxeroxrelationship.exe")) returned 1 [0062.726] lstrcpyW (in: lpString1=0x19f3ac, lpString2="commandsxeroxrelationship.exe" | out: lpString1="commandsxeroxrelationship.exe") returned="commandsxeroxrelationship.exe" [0062.726] lstrlenW (lpString="commandsxeroxrelationship.exe") returned 29 [0062.726] CharUpperBuffW (in: lpsz="commandsxeroxrelationship.exe", cchLength=0x1d | out: lpsz="COMMANDSXEROXRELATIONSHIP.EXE") returned 0x1d [0062.726] lstrcmpW (lpString1="COMMANDSXEROXRELATIONSHIP.EXE", lpString2="MYSQLD-NT.EXE") returned -1 [0062.726] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="terminal recorder.exe")) returned 1 [0062.727] lstrcpyW (in: lpString1=0x19f3ac, lpString2="terminal recorder.exe" | out: lpString1="terminal recorder.exe") returned="terminal recorder.exe" [0062.727] lstrlenW (lpString="terminal recorder.exe") returned 21 [0062.727] CharUpperBuffW (in: lpsz="terminal recorder.exe", cchLength=0x15 | out: lpsz="TERMINAL RECORDER.EXE") returned 0x15 [0062.727] lstrcmpW (lpString1="TERMINAL RECORDER.EXE", lpString2="MYSQLD-NT.EXE") returned 1 [0062.727] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explaining.exe")) returned 1 [0062.727] lstrcpyW (in: lpString1=0x19f3ac, lpString2="explaining.exe" | out: lpString1="explaining.exe") returned="explaining.exe" [0062.727] lstrlenW (lpString="explaining.exe") returned 14 [0062.727] CharUpperBuffW (in: lpsz="explaining.exe", cchLength=0xe | out: lpsz="EXPLAINING.EXE") returned 0xe [0062.727] lstrcmpW (lpString1="EXPLAINING.EXE", lpString2="MYSQLD-NT.EXE") returned -1 [0062.727] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ham.exe")) returned 1 [0062.728] lstrcpyW (in: lpString1=0x19f3ac, lpString2="ham.exe" | out: lpString1="ham.exe") returned="ham.exe" [0062.728] lstrlenW (lpString="ham.exe") returned 7 [0062.728] CharUpperBuffW (in: lpsz="ham.exe", cchLength=0x7 | out: lpsz="HAM.EXE") returned 0x7 [0062.728] lstrcmpW (lpString1="HAM.EXE", lpString2="MYSQLD-NT.EXE") returned -1 [0062.728] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x264, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="controllers_producing_shoe.exe")) returned 1 [0062.729] lstrcpyW (in: lpString1=0x19f3ac, lpString2="controllers_producing_shoe.exe" | out: lpString1="controllers_producing_shoe.exe") returned="controllers_producing_shoe.exe" [0062.729] lstrlenW (lpString="controllers_producing_shoe.exe") returned 30 [0062.729] CharUpperBuffW (in: lpsz="controllers_producing_shoe.exe", cchLength=0x1e | out: lpsz="CONTROLLERS_PRODUCING_SHOE.EXE") returned 0x1e [0062.729] lstrcmpW (lpString1="CONTROLLERS_PRODUCING_SHOE.EXE", lpString2="MYSQLD-NT.EXE") returned -1 [0062.729] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x710, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="recommendation-jack-accepting.exe")) returned 1 [0062.730] lstrcpyW (in: lpString1=0x19f3ac, lpString2="recommendation-jack-accepting.exe" | out: lpString1="recommendation-jack-accepting.exe") returned="recommendation-jack-accepting.exe" [0062.730] lstrlenW (lpString="recommendation-jack-accepting.exe") returned 33 [0062.730] CharUpperBuffW (in: lpsz="recommendation-jack-accepting.exe", cchLength=0x21 | out: lpsz="RECOMMENDATION-JACK-ACCEPTING.EXE") returned 0x21 [0062.730] lstrcmpW (lpString1="RECOMMENDATION-JACK-ACCEPTING.EXE", lpString2="MYSQLD-NT.EXE") returned 1 [0062.730] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vbles.exe")) returned 1 [0062.730] lstrcpyW (in: lpString1=0x19f3ac, lpString2="vbles.exe" | out: lpString1="vbles.exe") returned="vbles.exe" [0062.730] lstrlenW (lpString="vbles.exe") returned 9 [0062.730] CharUpperBuffW (in: lpsz="vbles.exe", cchLength=0x9 | out: lpsz="VBLES.EXE") returned 0x9 [0062.730] lstrcmpW (lpString1="VBLES.EXE", lpString2="MYSQLD-NT.EXE") returned 1 [0062.730] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xadc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="hazardsbusinessacrobat.exe")) returned 1 [0062.731] lstrcpyW (in: lpString1=0x19f3ac, lpString2="hazardsbusinessacrobat.exe" | out: lpString1="hazardsbusinessacrobat.exe") returned="hazardsbusinessacrobat.exe" [0062.731] lstrlenW (lpString="hazardsbusinessacrobat.exe") returned 26 [0062.731] CharUpperBuffW (in: lpsz="hazardsbusinessacrobat.exe", cchLength=0x1a | out: lpsz="HAZARDSBUSINESSACROBAT.EXE") returned 0x1a [0062.731] lstrcmpW (lpString1="HAZARDSBUSINESSACROBAT.EXE", lpString2="MYSQLD-NT.EXE") returned -1 [0062.731] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="needs-radar-underground.exe")) returned 1 [0062.731] lstrcpyW (in: lpString1=0x19f3ac, lpString2="needs-radar-underground.exe" | out: lpString1="needs-radar-underground.exe") returned="needs-radar-underground.exe" [0062.731] lstrlenW (lpString="needs-radar-underground.exe") returned 27 [0062.732] CharUpperBuffW (in: lpsz="needs-radar-underground.exe", cchLength=0x1b | out: lpsz="NEEDS-RADAR-UNDERGROUND.EXE") returned 0x1b [0062.732] lstrcmpW (lpString1="NEEDS-RADAR-UNDERGROUND.EXE", lpString2="MYSQLD-NT.EXE") returned 1 [0062.732] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="inventory.exe")) returned 1 [0062.732] lstrcpyW (in: lpString1=0x19f3ac, lpString2="inventory.exe" | out: lpString1="inventory.exe") returned="inventory.exe" [0062.732] lstrlenW (lpString="inventory.exe") returned 13 [0062.732] CharUpperBuffW (in: lpsz="inventory.exe", cchLength=0xd | out: lpsz="INVENTORY.EXE") returned 0xd [0062.732] lstrcmpW (lpString1="INVENTORY.EXE", lpString2="MYSQLD-NT.EXE") returned -1 [0062.732] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="castle.exe")) returned 1 [0062.733] lstrcpyW (in: lpString1=0x19f3ac, lpString2="castle.exe" | out: lpString1="castle.exe") returned="castle.exe" [0062.733] lstrlenW (lpString="castle.exe") returned 10 [0062.733] CharUpperBuffW (in: lpsz="castle.exe", cchLength=0xa | out: lpsz="CASTLE.EXE") returned 0xa [0062.733] lstrcmpW (lpString1="CASTLE.EXE", lpString2="MYSQLD-NT.EXE") returned -1 [0062.733] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="decorative_wit_bikes.exe")) returned 1 [0062.733] lstrcpyW (in: lpString1=0x19f3ac, lpString2="decorative_wit_bikes.exe" | out: lpString1="decorative_wit_bikes.exe") returned="decorative_wit_bikes.exe" [0062.733] lstrlenW (lpString="decorative_wit_bikes.exe") returned 24 [0062.733] CharUpperBuffW (in: lpsz="decorative_wit_bikes.exe", cchLength=0x18 | out: lpsz="DECORATIVE_WIT_BIKES.EXE") returned 0x18 [0062.733] lstrcmpW (lpString1="DECORATIVE_WIT_BIKES.EXE", lpString2="MYSQLD-NT.EXE") returned -1 [0062.733] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pipes reaches processing.exe")) returned 1 [0062.734] lstrcpyW (in: lpString1=0x19f3ac, lpString2="pipes reaches processing.exe" | out: lpString1="pipes reaches processing.exe") returned="pipes reaches processing.exe" [0062.734] lstrlenW (lpString="pipes reaches processing.exe") returned 28 [0062.734] CharUpperBuffW (in: lpsz="pipes reaches processing.exe", cchLength=0x1c | out: lpsz="PIPES REACHES PROCESSING.EXE") returned 0x1c [0062.734] lstrcmpW (lpString1="PIPES REACHES PROCESSING.EXE", lpString2="MYSQLD-NT.EXE") returned 1 [0062.734] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x948, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="regulatory_chevy.exe")) returned 1 [0062.734] lstrcpyW (in: lpString1=0x19f3ac, lpString2="regulatory_chevy.exe" | out: lpString1="regulatory_chevy.exe") returned="regulatory_chevy.exe" [0062.734] lstrlenW (lpString="regulatory_chevy.exe") returned 20 [0062.734] CharUpperBuffW (in: lpsz="regulatory_chevy.exe", cchLength=0x14 | out: lpsz="REGULATORY_CHEVY.EXE") returned 0x14 [0062.734] lstrcmpW (lpString1="REGULATORY_CHEVY.EXE", lpString2="MYSQLD-NT.EXE") returned 1 [0062.735] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="baseball.exe")) returned 1 [0062.735] lstrcpyW (in: lpString1=0x19f3ac, lpString2="baseball.exe" | out: lpString1="baseball.exe") returned="baseball.exe" [0062.735] lstrlenW (lpString="baseball.exe") returned 12 [0062.735] CharUpperBuffW (in: lpsz="baseball.exe", cchLength=0xc | out: lpsz="BASEBALL.EXE") returned 0xc [0062.735] lstrcmpW (lpString1="BASEBALL.EXE", lpString2="MYSQLD-NT.EXE") returned -1 [0062.735] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="beginners.exe")) returned 1 [0062.736] lstrcpyW (in: lpString1=0x19f3ac, lpString2="beginners.exe" | out: lpString1="beginners.exe") returned="beginners.exe" [0062.736] lstrlenW (lpString="beginners.exe") returned 13 [0062.736] CharUpperBuffW (in: lpsz="beginners.exe", cchLength=0xd | out: lpsz="BEGINNERS.EXE") returned 0xd [0062.736] lstrcmpW (lpString1="BEGINNERS.EXE", lpString2="MYSQLD-NT.EXE") returned -1 [0062.736] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x63c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tank-specialties-facial.exe")) returned 1 [0062.736] lstrcpyW (in: lpString1=0x19f3ac, lpString2="tank-specialties-facial.exe" | out: lpString1="tank-specialties-facial.exe") returned="tank-specialties-facial.exe" [0062.736] lstrlenW (lpString="tank-specialties-facial.exe") returned 27 [0062.736] CharUpperBuffW (in: lpsz="tank-specialties-facial.exe", cchLength=0x1b | out: lpsz="TANK-SPECIALTIES-FACIAL.EXE") returned 0x1b [0062.736] lstrcmpW (lpString1="TANK-SPECIALTIES-FACIAL.EXE", lpString2="MYSQLD-NT.EXE") returned 1 [0062.736] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="korea.exe")) returned 1 [0062.737] lstrcpyW (in: lpString1=0x19f3ac, lpString2="korea.exe" | out: lpString1="korea.exe") returned="korea.exe" [0062.737] lstrlenW (lpString="korea.exe") returned 9 [0062.737] CharUpperBuffW (in: lpsz="korea.exe", cchLength=0x9 | out: lpsz="KOREA.EXE") returned 0x9 [0062.737] lstrcmpW (lpString1="KOREA.EXE", lpString2="MYSQLD-NT.EXE") returned -1 [0062.737] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="article_unusual.exe")) returned 1 [0062.737] lstrcpyW (in: lpString1=0x19f3ac, lpString2="article_unusual.exe" | out: lpString1="article_unusual.exe") returned="article_unusual.exe" [0062.737] lstrlenW (lpString="article_unusual.exe") returned 19 [0062.737] CharUpperBuffW (in: lpsz="article_unusual.exe", cchLength=0x13 | out: lpsz="ARTICLE_UNUSUAL.EXE") returned 0x13 [0062.737] lstrcmpW (lpString1="ARTICLE_UNUSUAL.EXE", lpString2="MYSQLD-NT.EXE") returned -1 [0062.737] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tokyo.exe")) returned 1 [0062.738] lstrcpyW (in: lpString1=0x19f3ac, lpString2="tokyo.exe" | out: lpString1="tokyo.exe") returned="tokyo.exe" [0062.738] lstrlenW (lpString="tokyo.exe") returned 9 [0062.738] CharUpperBuffW (in: lpsz="tokyo.exe", cchLength=0x9 | out: lpsz="TOKYO.EXE") returned 0x9 [0062.738] lstrcmpW (lpString1="TOKYO.EXE", lpString2="MYSQLD-NT.EXE") returned 1 [0062.738] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0062.739] lstrcpyW (in: lpString1=0x19f3ac, lpString2="audiodg.exe" | out: lpString1="audiodg.exe") returned="audiodg.exe" [0062.739] lstrlenW (lpString="audiodg.exe") returned 11 [0062.739] CharUpperBuffW (in: lpsz="audiodg.exe", cchLength=0xb | out: lpsz="AUDIODG.EXE") returned 0xb [0062.739] lstrcmpW (lpString1="AUDIODG.EXE", lpString2="MYSQLD-NT.EXE") returned -1 [0062.739] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tcpsov.exe")) returned 1 [0062.739] lstrcpyW (in: lpString1=0x19f3ac, lpString2="tcpsov.exe" | out: lpString1="tcpsov.exe") returned="tcpsov.exe" [0062.739] lstrlenW (lpString="tcpsov.exe") returned 10 [0062.739] CharUpperBuffW (in: lpsz="tcpsov.exe", cchLength=0xa | out: lpsz="TCPSOV.EXE") returned 0xa [0062.739] lstrcmpW (lpString1="TCPSOV.EXE", lpString2="MYSQLD-NT.EXE") returned 1 [0062.739] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0062.740] lstrcpyW (in: lpString1=0x19f3ac, lpString2="dllhost.exe" | out: lpString1="dllhost.exe") returned="dllhost.exe" [0062.740] lstrlenW (lpString="dllhost.exe") returned 11 [0062.740] CharUpperBuffW (in: lpsz="dllhost.exe", cchLength=0xb | out: lpsz="DLLHOST.EXE") returned 0xb [0062.740] lstrcmpW (lpString1="DLLHOST.EXE", lpString2="MYSQLD-NT.EXE") returned -1 [0062.740] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.741] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.741] lstrlenW (lpString="svchost.exe") returned 11 [0062.741] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.741] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="MYSQLD-NT.EXE") returned 1 [0062.741] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0062.741] CloseHandle (hObject=0x18c) returned 1 [0062.741] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0062.745] lstrcpyW (in: lpString1=0x19f5b4, lpString2="syntime.exe" | out: lpString1="syntime.exe") returned="syntime.exe" [0062.745] lstrlenW (lpString="syntime.exe") returned 11 [0062.745] CharUpperBuffW (in: lpsz="syntime.exe", cchLength=0xb | out: lpsz="SYNTIME.EXE") returned 0xb [0062.745] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0062.745] lstrcpyW (in: lpString1=0x19f3ac, lpString2="[System Process]" | out: lpString1="[System Process]") returned="[System Process]" [0062.745] lstrlenW (lpString="[System Process]") returned 16 [0062.745] CharUpperBuffW (in: lpsz="[System Process]", cchLength=0x10 | out: lpsz="[SYSTEM PROCESS]") returned 0x10 [0062.745] lstrcmpW (lpString1="[SYSTEM PROCESS]", lpString2="SYNTIME.EXE") returned -1 [0062.745] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x69, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0062.746] lstrcpyW (in: lpString1=0x19f3ac, lpString2="System" | out: lpString1="System") returned="System" [0062.746] lstrlenW (lpString="System") returned 6 [0062.746] CharUpperBuffW (in: lpsz="System", cchLength=0x6 | out: lpsz="SYSTEM") returned 0x6 [0062.746] lstrcmpW (lpString1="SYSTEM", lpString2="SYNTIME.EXE") returned 1 [0062.746] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0062.746] lstrcpyW (in: lpString1=0x19f3ac, lpString2="smss.exe" | out: lpString1="smss.exe") returned="smss.exe" [0062.746] lstrlenW (lpString="smss.exe") returned 8 [0062.746] CharUpperBuffW (in: lpsz="smss.exe", cchLength=0x8 | out: lpsz="SMSS.EXE") returned 0x8 [0062.746] lstrcmpW (lpString1="SMSS.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.746] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x154, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0062.747] lstrcpyW (in: lpString1=0x19f3ac, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0062.747] lstrlenW (lpString="csrss.exe") returned 9 [0062.747] CharUpperBuffW (in: lpsz="csrss.exe", cchLength=0x9 | out: lpsz="CSRSS.EXE") returned 0x9 [0062.747] lstrcmpW (lpString1="CSRSS.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.747] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0062.748] lstrcpyW (in: lpString1=0x19f3ac, lpString2="wininit.exe" | out: lpString1="wininit.exe") returned="wininit.exe" [0062.748] lstrlenW (lpString="wininit.exe") returned 11 [0062.748] CharUpperBuffW (in: lpsz="wininit.exe", cchLength=0xb | out: lpsz="WININIT.EXE") returned 0xb [0062.748] lstrcmpW (lpString1="WININIT.EXE", lpString2="SYNTIME.EXE") returned 1 [0062.748] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0062.748] lstrcpyW (in: lpString1=0x19f3ac, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0062.748] lstrlenW (lpString="csrss.exe") returned 9 [0062.748] CharUpperBuffW (in: lpsz="csrss.exe", cchLength=0x9 | out: lpsz="CSRSS.EXE") returned 0x9 [0062.748] lstrcmpW (lpString1="CSRSS.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.748] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0062.749] lstrcpyW (in: lpString1=0x19f3ac, lpString2="winlogon.exe" | out: lpString1="winlogon.exe") returned="winlogon.exe" [0062.749] lstrlenW (lpString="winlogon.exe") returned 12 [0062.749] CharUpperBuffW (in: lpsz="winlogon.exe", cchLength=0xc | out: lpsz="WINLOGON.EXE") returned 0xc [0062.749] lstrcmpW (lpString1="WINLOGON.EXE", lpString2="SYNTIME.EXE") returned 1 [0062.749] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0062.749] lstrcpyW (in: lpString1=0x19f3ac, lpString2="services.exe" | out: lpString1="services.exe") returned="services.exe" [0062.749] lstrlenW (lpString="services.exe") returned 12 [0062.749] CharUpperBuffW (in: lpsz="services.exe", cchLength=0xc | out: lpsz="SERVICES.EXE") returned 0xc [0062.749] lstrcmpW (lpString1="SERVICES.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.749] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0062.750] lstrcpyW (in: lpString1=0x19f3ac, lpString2="lsass.exe" | out: lpString1="lsass.exe") returned="lsass.exe" [0062.750] lstrlenW (lpString="lsass.exe") returned 9 [0062.750] CharUpperBuffW (in: lpsz="lsass.exe", cchLength=0x9 | out: lpsz="LSASS.EXE") returned 0x9 [0062.750] lstrcmpW (lpString1="LSASS.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.750] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.751] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.751] lstrlenW (lpString="svchost.exe") returned 11 [0062.751] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.751] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.751] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.751] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.751] lstrlenW (lpString="svchost.exe") returned 11 [0062.751] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.751] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.751] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1cc, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0062.752] lstrcpyW (in: lpString1=0x19f3ac, lpString2="dwm.exe" | out: lpString1="dwm.exe") returned="dwm.exe" [0062.752] lstrlenW (lpString="dwm.exe") returned 7 [0062.752] CharUpperBuffW (in: lpsz="dwm.exe", cchLength=0x7 | out: lpsz="DWM.EXE") returned 0x7 [0062.752] lstrcmpW (lpString1="DWM.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.752] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.753] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.753] lstrlenW (lpString="svchost.exe") returned 11 [0062.753] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.753] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.753] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.753] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.753] lstrlenW (lpString="svchost.exe") returned 11 [0062.753] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.753] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.753] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.754] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.754] lstrlenW (lpString="svchost.exe") returned 11 [0062.754] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.754] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.754] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.755] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.755] lstrlenW (lpString="svchost.exe") returned 11 [0062.755] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.755] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.755] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x398, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.755] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.755] lstrlenW (lpString="svchost.exe") returned 11 [0062.755] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.755] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.755] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.756] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.756] lstrlenW (lpString="svchost.exe") returned 11 [0062.756] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.756] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.756] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0062.756] lstrcpyW (in: lpString1=0x19f3ac, lpString2="spoolsv.exe" | out: lpString1="spoolsv.exe") returned="spoolsv.exe" [0062.757] lstrlenW (lpString="spoolsv.exe") returned 11 [0062.757] CharUpperBuffW (in: lpsz="spoolsv.exe", cchLength=0xb | out: lpsz="SPOOLSV.EXE") returned 0xb [0062.757] lstrcmpW (lpString1="SPOOLSV.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.757] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.757] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.757] lstrlenW (lpString="svchost.exe") returned 11 [0062.757] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.757] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.757] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.758] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.758] lstrlenW (lpString="svchost.exe") returned 11 [0062.758] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.758] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.758] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0062.759] lstrcpyW (in: lpString1=0x19f3ac, lpString2="OfficeClickToRun.exe" | out: lpString1="OfficeClickToRun.exe") returned="OfficeClickToRun.exe" [0062.759] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0062.759] CharUpperBuffW (in: lpsz="OfficeClickToRun.exe", cchLength=0x14 | out: lpsz="OFFICECLICKTORUN.EXE") returned 0x14 [0062.759] lstrcmpW (lpString1="OFFICECLICKTORUN.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.759] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x678, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.759] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.759] lstrlenW (lpString="svchost.exe") returned 11 [0062.759] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.759] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.759] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x704, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0062.768] lstrcpyW (in: lpString1=0x19f3ac, lpString2="sihost.exe" | out: lpString1="sihost.exe") returned="sihost.exe" [0062.768] lstrlenW (lpString="sihost.exe") returned 10 [0062.768] CharUpperBuffW (in: lpsz="sihost.exe", cchLength=0xa | out: lpsz="SIHOST.EXE") returned 0xa [0062.768] lstrcmpW (lpString1="SIHOST.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.768] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x77c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0062.769] lstrcpyW (in: lpString1=0x19f3ac, lpString2="taskhostw.exe" | out: lpString1="taskhostw.exe") returned="taskhostw.exe" [0062.769] lstrlenW (lpString="taskhostw.exe") returned 13 [0062.769] CharUpperBuffW (in: lpsz="taskhostw.exe", cchLength=0xd | out: lpsz="TASKHOSTW.EXE") returned 0xd [0062.769] lstrcmpW (lpString1="TASKHOSTW.EXE", lpString2="SYNTIME.EXE") returned 1 [0062.769] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x38, th32ParentProcessID=0x4c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0062.769] lstrcpyW (in: lpString1=0x19f3ac, lpString2="explorer.exe" | out: lpString1="explorer.exe") returned="explorer.exe" [0062.769] lstrlenW (lpString="explorer.exe") returned 12 [0062.769] CharUpperBuffW (in: lpsz="explorer.exe", cchLength=0xc | out: lpsz="EXPLORER.EXE") returned 0xc [0062.769] lstrcmpW (lpString1="EXPLORER.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.769] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0062.770] lstrcpyW (in: lpString1=0x19f3ac, lpString2="RuntimeBroker.exe" | out: lpString1="RuntimeBroker.exe") returned="RuntimeBroker.exe" [0062.770] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0062.770] CharUpperBuffW (in: lpsz="RuntimeBroker.exe", cchLength=0x11 | out: lpsz="RUNTIMEBROKER.EXE") returned 0x11 [0062.770] lstrcmpW (lpString1="RUNTIMEBROKER.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.770] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2c, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0062.771] lstrcpyW (in: lpString1=0x19f3ac, lpString2="ShellExperienceHost.exe" | out: lpString1="ShellExperienceHost.exe") returned="ShellExperienceHost.exe" [0062.771] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0062.771] CharUpperBuffW (in: lpsz="ShellExperienceHost.exe", cchLength=0x17 | out: lpsz="SHELLEXPERIENCEHOST.EXE") returned 0x17 [0062.771] lstrcmpW (lpString1="SHELLEXPERIENCEHOST.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.771] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0062.771] lstrcpyW (in: lpString1=0x19f3ac, lpString2="SearchUI.exe" | out: lpString1="SearchUI.exe") returned="SearchUI.exe" [0062.771] lstrlenW (lpString="SearchUI.exe") returned 12 [0062.771] CharUpperBuffW (in: lpsz="SearchUI.exe", cchLength=0xc | out: lpsz="SEARCHUI.EXE") returned 0xc [0062.771] lstrcmpW (lpString1="SEARCHUI.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.771] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0062.772] lstrcpyW (in: lpString1=0x19f3ac, lpString2="backgroundTaskHost.exe" | out: lpString1="backgroundTaskHost.exe") returned="backgroundTaskHost.exe" [0062.772] lstrlenW (lpString="backgroundTaskHost.exe") returned 22 [0062.772] CharUpperBuffW (in: lpsz="backgroundTaskHost.exe", cchLength=0x16 | out: lpsz="BACKGROUNDTASKHOST.EXE") returned 0x16 [0062.772] lstrcmpW (lpString1="BACKGROUNDTASKHOST.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.772] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0062.773] lstrcpyW (in: lpString1=0x19f3ac, lpString2="backgroundTaskHost.exe" | out: lpString1="backgroundTaskHost.exe") returned="backgroundTaskHost.exe" [0062.773] lstrlenW (lpString="backgroundTaskHost.exe") returned 22 [0062.773] CharUpperBuffW (in: lpsz="backgroundTaskHost.exe", cchLength=0x16 | out: lpsz="BACKGROUNDTASKHOST.EXE") returned 0x16 [0062.773] lstrcmpW (lpString1="BACKGROUNDTASKHOST.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.773] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="commandsxeroxrelationship.exe")) returned 1 [0062.773] lstrcpyW (in: lpString1=0x19f3ac, lpString2="commandsxeroxrelationship.exe" | out: lpString1="commandsxeroxrelationship.exe") returned="commandsxeroxrelationship.exe" [0062.773] lstrlenW (lpString="commandsxeroxrelationship.exe") returned 29 [0062.773] CharUpperBuffW (in: lpsz="commandsxeroxrelationship.exe", cchLength=0x1d | out: lpsz="COMMANDSXEROXRELATIONSHIP.EXE") returned 0x1d [0062.773] lstrcmpW (lpString1="COMMANDSXEROXRELATIONSHIP.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.773] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="terminal recorder.exe")) returned 1 [0062.774] lstrcpyW (in: lpString1=0x19f3ac, lpString2="terminal recorder.exe" | out: lpString1="terminal recorder.exe") returned="terminal recorder.exe" [0062.774] lstrlenW (lpString="terminal recorder.exe") returned 21 [0062.774] CharUpperBuffW (in: lpsz="terminal recorder.exe", cchLength=0x15 | out: lpsz="TERMINAL RECORDER.EXE") returned 0x15 [0062.774] lstrcmpW (lpString1="TERMINAL RECORDER.EXE", lpString2="SYNTIME.EXE") returned 1 [0062.774] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explaining.exe")) returned 1 [0062.774] lstrcpyW (in: lpString1=0x19f3ac, lpString2="explaining.exe" | out: lpString1="explaining.exe") returned="explaining.exe" [0062.774] lstrlenW (lpString="explaining.exe") returned 14 [0062.774] CharUpperBuffW (in: lpsz="explaining.exe", cchLength=0xe | out: lpsz="EXPLAINING.EXE") returned 0xe [0062.775] lstrcmpW (lpString1="EXPLAINING.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.775] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ham.exe")) returned 1 [0062.775] lstrcpyW (in: lpString1=0x19f3ac, lpString2="ham.exe" | out: lpString1="ham.exe") returned="ham.exe" [0062.775] lstrlenW (lpString="ham.exe") returned 7 [0062.775] CharUpperBuffW (in: lpsz="ham.exe", cchLength=0x7 | out: lpsz="HAM.EXE") returned 0x7 [0062.775] lstrcmpW (lpString1="HAM.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.775] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x264, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="controllers_producing_shoe.exe")) returned 1 [0062.776] lstrcpyW (in: lpString1=0x19f3ac, lpString2="controllers_producing_shoe.exe" | out: lpString1="controllers_producing_shoe.exe") returned="controllers_producing_shoe.exe" [0062.776] lstrlenW (lpString="controllers_producing_shoe.exe") returned 30 [0062.776] CharUpperBuffW (in: lpsz="controllers_producing_shoe.exe", cchLength=0x1e | out: lpsz="CONTROLLERS_PRODUCING_SHOE.EXE") returned 0x1e [0062.776] lstrcmpW (lpString1="CONTROLLERS_PRODUCING_SHOE.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.776] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x710, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="recommendation-jack-accepting.exe")) returned 1 [0062.777] lstrcpyW (in: lpString1=0x19f3ac, lpString2="recommendation-jack-accepting.exe" | out: lpString1="recommendation-jack-accepting.exe") returned="recommendation-jack-accepting.exe" [0062.777] lstrlenW (lpString="recommendation-jack-accepting.exe") returned 33 [0062.777] CharUpperBuffW (in: lpsz="recommendation-jack-accepting.exe", cchLength=0x21 | out: lpsz="RECOMMENDATION-JACK-ACCEPTING.EXE") returned 0x21 [0062.777] lstrcmpW (lpString1="RECOMMENDATION-JACK-ACCEPTING.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.777] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vbles.exe")) returned 1 [0062.777] lstrcpyW (in: lpString1=0x19f3ac, lpString2="vbles.exe" | out: lpString1="vbles.exe") returned="vbles.exe" [0062.777] lstrlenW (lpString="vbles.exe") returned 9 [0062.777] CharUpperBuffW (in: lpsz="vbles.exe", cchLength=0x9 | out: lpsz="VBLES.EXE") returned 0x9 [0062.777] lstrcmpW (lpString1="VBLES.EXE", lpString2="SYNTIME.EXE") returned 1 [0062.777] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xadc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="hazardsbusinessacrobat.exe")) returned 1 [0062.778] lstrcpyW (in: lpString1=0x19f3ac, lpString2="hazardsbusinessacrobat.exe" | out: lpString1="hazardsbusinessacrobat.exe") returned="hazardsbusinessacrobat.exe" [0062.778] lstrlenW (lpString="hazardsbusinessacrobat.exe") returned 26 [0062.778] CharUpperBuffW (in: lpsz="hazardsbusinessacrobat.exe", cchLength=0x1a | out: lpsz="HAZARDSBUSINESSACROBAT.EXE") returned 0x1a [0062.778] lstrcmpW (lpString1="HAZARDSBUSINESSACROBAT.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.778] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="needs-radar-underground.exe")) returned 1 [0062.778] lstrcpyW (in: lpString1=0x19f3ac, lpString2="needs-radar-underground.exe" | out: lpString1="needs-radar-underground.exe") returned="needs-radar-underground.exe" [0062.779] lstrlenW (lpString="needs-radar-underground.exe") returned 27 [0062.779] CharUpperBuffW (in: lpsz="needs-radar-underground.exe", cchLength=0x1b | out: lpsz="NEEDS-RADAR-UNDERGROUND.EXE") returned 0x1b [0062.779] lstrcmpW (lpString1="NEEDS-RADAR-UNDERGROUND.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.779] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="inventory.exe")) returned 1 [0062.779] lstrcpyW (in: lpString1=0x19f3ac, lpString2="inventory.exe" | out: lpString1="inventory.exe") returned="inventory.exe" [0062.779] lstrlenW (lpString="inventory.exe") returned 13 [0062.779] CharUpperBuffW (in: lpsz="inventory.exe", cchLength=0xd | out: lpsz="INVENTORY.EXE") returned 0xd [0062.779] lstrcmpW (lpString1="INVENTORY.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.779] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="castle.exe")) returned 1 [0062.780] lstrcpyW (in: lpString1=0x19f3ac, lpString2="castle.exe" | out: lpString1="castle.exe") returned="castle.exe" [0062.780] lstrlenW (lpString="castle.exe") returned 10 [0062.780] CharUpperBuffW (in: lpsz="castle.exe", cchLength=0xa | out: lpsz="CASTLE.EXE") returned 0xa [0062.780] lstrcmpW (lpString1="CASTLE.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.780] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="decorative_wit_bikes.exe")) returned 1 [0062.781] lstrcpyW (in: lpString1=0x19f3ac, lpString2="decorative_wit_bikes.exe" | out: lpString1="decorative_wit_bikes.exe") returned="decorative_wit_bikes.exe" [0062.781] lstrlenW (lpString="decorative_wit_bikes.exe") returned 24 [0062.781] CharUpperBuffW (in: lpsz="decorative_wit_bikes.exe", cchLength=0x18 | out: lpsz="DECORATIVE_WIT_BIKES.EXE") returned 0x18 [0062.781] lstrcmpW (lpString1="DECORATIVE_WIT_BIKES.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.781] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pipes reaches processing.exe")) returned 1 [0062.781] lstrcpyW (in: lpString1=0x19f3ac, lpString2="pipes reaches processing.exe" | out: lpString1="pipes reaches processing.exe") returned="pipes reaches processing.exe" [0062.781] lstrlenW (lpString="pipes reaches processing.exe") returned 28 [0062.781] CharUpperBuffW (in: lpsz="pipes reaches processing.exe", cchLength=0x1c | out: lpsz="PIPES REACHES PROCESSING.EXE") returned 0x1c [0062.781] lstrcmpW (lpString1="PIPES REACHES PROCESSING.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.781] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x948, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="regulatory_chevy.exe")) returned 1 [0062.782] lstrcpyW (in: lpString1=0x19f3ac, lpString2="regulatory_chevy.exe" | out: lpString1="regulatory_chevy.exe") returned="regulatory_chevy.exe" [0062.782] lstrlenW (lpString="regulatory_chevy.exe") returned 20 [0062.782] CharUpperBuffW (in: lpsz="regulatory_chevy.exe", cchLength=0x14 | out: lpsz="REGULATORY_CHEVY.EXE") returned 0x14 [0062.782] lstrcmpW (lpString1="REGULATORY_CHEVY.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.782] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="baseball.exe")) returned 1 [0062.783] lstrcpyW (in: lpString1=0x19f3ac, lpString2="baseball.exe" | out: lpString1="baseball.exe") returned="baseball.exe" [0062.783] lstrlenW (lpString="baseball.exe") returned 12 [0062.783] CharUpperBuffW (in: lpsz="baseball.exe", cchLength=0xc | out: lpsz="BASEBALL.EXE") returned 0xc [0062.783] lstrcmpW (lpString1="BASEBALL.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.783] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="beginners.exe")) returned 1 [0062.783] lstrcpyW (in: lpString1=0x19f3ac, lpString2="beginners.exe" | out: lpString1="beginners.exe") returned="beginners.exe" [0062.783] lstrlenW (lpString="beginners.exe") returned 13 [0062.783] CharUpperBuffW (in: lpsz="beginners.exe", cchLength=0xd | out: lpsz="BEGINNERS.EXE") returned 0xd [0062.784] lstrcmpW (lpString1="BEGINNERS.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.784] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x63c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tank-specialties-facial.exe")) returned 1 [0062.784] lstrcpyW (in: lpString1=0x19f3ac, lpString2="tank-specialties-facial.exe" | out: lpString1="tank-specialties-facial.exe") returned="tank-specialties-facial.exe" [0062.784] lstrlenW (lpString="tank-specialties-facial.exe") returned 27 [0062.784] CharUpperBuffW (in: lpsz="tank-specialties-facial.exe", cchLength=0x1b | out: lpsz="TANK-SPECIALTIES-FACIAL.EXE") returned 0x1b [0062.784] lstrcmpW (lpString1="TANK-SPECIALTIES-FACIAL.EXE", lpString2="SYNTIME.EXE") returned 1 [0062.784] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="korea.exe")) returned 1 [0062.785] lstrcpyW (in: lpString1=0x19f3ac, lpString2="korea.exe" | out: lpString1="korea.exe") returned="korea.exe" [0062.785] lstrlenW (lpString="korea.exe") returned 9 [0062.785] CharUpperBuffW (in: lpsz="korea.exe", cchLength=0x9 | out: lpsz="KOREA.EXE") returned 0x9 [0062.785] lstrcmpW (lpString1="KOREA.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.785] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="article_unusual.exe")) returned 1 [0062.785] lstrcpyW (in: lpString1=0x19f3ac, lpString2="article_unusual.exe" | out: lpString1="article_unusual.exe") returned="article_unusual.exe" [0062.785] lstrlenW (lpString="article_unusual.exe") returned 19 [0062.785] CharUpperBuffW (in: lpsz="article_unusual.exe", cchLength=0x13 | out: lpsz="ARTICLE_UNUSUAL.EXE") returned 0x13 [0062.785] lstrcmpW (lpString1="ARTICLE_UNUSUAL.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.785] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tokyo.exe")) returned 1 [0062.786] lstrcpyW (in: lpString1=0x19f3ac, lpString2="tokyo.exe" | out: lpString1="tokyo.exe") returned="tokyo.exe" [0062.786] lstrlenW (lpString="tokyo.exe") returned 9 [0062.786] CharUpperBuffW (in: lpsz="tokyo.exe", cchLength=0x9 | out: lpsz="TOKYO.EXE") returned 0x9 [0062.786] lstrcmpW (lpString1="TOKYO.EXE", lpString2="SYNTIME.EXE") returned 1 [0062.786] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0062.786] lstrcpyW (in: lpString1=0x19f3ac, lpString2="audiodg.exe" | out: lpString1="audiodg.exe") returned="audiodg.exe" [0062.786] lstrlenW (lpString="audiodg.exe") returned 11 [0062.786] CharUpperBuffW (in: lpsz="audiodg.exe", cchLength=0xb | out: lpsz="AUDIODG.EXE") returned 0xb [0062.786] lstrcmpW (lpString1="AUDIODG.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.787] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tcpsov.exe")) returned 1 [0062.787] lstrcpyW (in: lpString1=0x19f3ac, lpString2="tcpsov.exe" | out: lpString1="tcpsov.exe") returned="tcpsov.exe" [0062.787] lstrlenW (lpString="tcpsov.exe") returned 10 [0062.787] CharUpperBuffW (in: lpsz="tcpsov.exe", cchLength=0xa | out: lpsz="TCPSOV.EXE") returned 0xa [0062.787] lstrcmpW (lpString1="TCPSOV.EXE", lpString2="SYNTIME.EXE") returned 1 [0062.787] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0062.788] lstrcpyW (in: lpString1=0x19f3ac, lpString2="dllhost.exe" | out: lpString1="dllhost.exe") returned="dllhost.exe" [0062.788] lstrlenW (lpString="dllhost.exe") returned 11 [0062.788] CharUpperBuffW (in: lpsz="dllhost.exe", cchLength=0xb | out: lpsz="DLLHOST.EXE") returned 0xb [0062.788] lstrcmpW (lpString1="DLLHOST.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.788] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.788] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.788] lstrlenW (lpString="svchost.exe") returned 11 [0062.788] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.788] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="SYNTIME.EXE") returned -1 [0062.788] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0062.789] CloseHandle (hObject=0x18c) returned 1 [0062.789] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0062.793] lstrcpyW (in: lpString1=0x19f5b4, lpString2="agntsv.exe" | out: lpString1="agntsv.exe") returned="agntsv.exe" [0062.793] lstrlenW (lpString="agntsv.exe") returned 10 [0062.793] CharUpperBuffW (in: lpsz="agntsv.exe", cchLength=0xa | out: lpsz="AGNTSV.EXE") returned 0xa [0062.793] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0062.794] lstrcpyW (in: lpString1=0x19f3ac, lpString2="[System Process]" | out: lpString1="[System Process]") returned="[System Process]" [0062.794] lstrlenW (lpString="[System Process]") returned 16 [0062.794] CharUpperBuffW (in: lpsz="[System Process]", cchLength=0x10 | out: lpsz="[SYSTEM PROCESS]") returned 0x10 [0062.794] lstrcmpW (lpString1="[SYSTEM PROCESS]", lpString2="AGNTSV.EXE") returned -1 [0062.794] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x69, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0062.794] lstrcpyW (in: lpString1=0x19f3ac, lpString2="System" | out: lpString1="System") returned="System" [0062.794] lstrlenW (lpString="System") returned 6 [0062.794] CharUpperBuffW (in: lpsz="System", cchLength=0x6 | out: lpsz="SYSTEM") returned 0x6 [0062.794] lstrcmpW (lpString1="SYSTEM", lpString2="AGNTSV.EXE") returned 1 [0062.794] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0062.795] lstrcpyW (in: lpString1=0x19f3ac, lpString2="smss.exe" | out: lpString1="smss.exe") returned="smss.exe" [0062.795] lstrlenW (lpString="smss.exe") returned 8 [0062.795] CharUpperBuffW (in: lpsz="smss.exe", cchLength=0x8 | out: lpsz="SMSS.EXE") returned 0x8 [0062.795] lstrcmpW (lpString1="SMSS.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.795] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x154, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0062.796] lstrcpyW (in: lpString1=0x19f3ac, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0062.796] lstrlenW (lpString="csrss.exe") returned 9 [0062.796] CharUpperBuffW (in: lpsz="csrss.exe", cchLength=0x9 | out: lpsz="CSRSS.EXE") returned 0x9 [0062.796] lstrcmpW (lpString1="CSRSS.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.796] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0062.796] lstrcpyW (in: lpString1=0x19f3ac, lpString2="wininit.exe" | out: lpString1="wininit.exe") returned="wininit.exe" [0062.796] lstrlenW (lpString="wininit.exe") returned 11 [0062.796] CharUpperBuffW (in: lpsz="wininit.exe", cchLength=0xb | out: lpsz="WININIT.EXE") returned 0xb [0062.796] lstrcmpW (lpString1="WININIT.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.796] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0062.797] lstrcpyW (in: lpString1=0x19f3ac, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0062.797] lstrlenW (lpString="csrss.exe") returned 9 [0062.797] CharUpperBuffW (in: lpsz="csrss.exe", cchLength=0x9 | out: lpsz="CSRSS.EXE") returned 0x9 [0062.797] lstrcmpW (lpString1="CSRSS.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.797] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0062.797] lstrcpyW (in: lpString1=0x19f3ac, lpString2="winlogon.exe" | out: lpString1="winlogon.exe") returned="winlogon.exe" [0062.797] lstrlenW (lpString="winlogon.exe") returned 12 [0062.797] CharUpperBuffW (in: lpsz="winlogon.exe", cchLength=0xc | out: lpsz="WINLOGON.EXE") returned 0xc [0062.797] lstrcmpW (lpString1="WINLOGON.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.797] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0062.798] lstrcpyW (in: lpString1=0x19f3ac, lpString2="services.exe" | out: lpString1="services.exe") returned="services.exe" [0062.798] lstrlenW (lpString="services.exe") returned 12 [0062.798] CharUpperBuffW (in: lpsz="services.exe", cchLength=0xc | out: lpsz="SERVICES.EXE") returned 0xc [0062.798] lstrcmpW (lpString1="SERVICES.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.798] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0062.798] lstrcpyW (in: lpString1=0x19f3ac, lpString2="lsass.exe" | out: lpString1="lsass.exe") returned="lsass.exe" [0062.798] lstrlenW (lpString="lsass.exe") returned 9 [0062.799] CharUpperBuffW (in: lpsz="lsass.exe", cchLength=0x9 | out: lpsz="LSASS.EXE") returned 0x9 [0062.799] lstrcmpW (lpString1="LSASS.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.799] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.799] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.799] lstrlenW (lpString="svchost.exe") returned 11 [0062.799] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.799] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.799] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.800] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.800] lstrlenW (lpString="svchost.exe") returned 11 [0062.800] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.800] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.800] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1cc, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0062.800] lstrcpyW (in: lpString1=0x19f3ac, lpString2="dwm.exe" | out: lpString1="dwm.exe") returned="dwm.exe" [0062.800] lstrlenW (lpString="dwm.exe") returned 7 [0062.800] CharUpperBuffW (in: lpsz="dwm.exe", cchLength=0x7 | out: lpsz="DWM.EXE") returned 0x7 [0062.800] lstrcmpW (lpString1="DWM.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.800] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.801] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.801] lstrlenW (lpString="svchost.exe") returned 11 [0062.801] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.801] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.801] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.801] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.801] lstrlenW (lpString="svchost.exe") returned 11 [0062.801] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.801] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.801] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.802] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.802] lstrlenW (lpString="svchost.exe") returned 11 [0062.802] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.802] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.802] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.803] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.803] lstrlenW (lpString="svchost.exe") returned 11 [0062.803] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.803] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.803] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x398, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.803] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.803] lstrlenW (lpString="svchost.exe") returned 11 [0062.803] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.803] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.803] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.804] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.804] lstrlenW (lpString="svchost.exe") returned 11 [0062.804] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.804] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.804] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0062.805] lstrcpyW (in: lpString1=0x19f3ac, lpString2="spoolsv.exe" | out: lpString1="spoolsv.exe") returned="spoolsv.exe" [0062.805] lstrlenW (lpString="spoolsv.exe") returned 11 [0062.805] CharUpperBuffW (in: lpsz="spoolsv.exe", cchLength=0xb | out: lpsz="SPOOLSV.EXE") returned 0xb [0062.805] lstrcmpW (lpString1="SPOOLSV.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.805] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.805] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.805] lstrlenW (lpString="svchost.exe") returned 11 [0062.805] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.805] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.805] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.806] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.806] lstrlenW (lpString="svchost.exe") returned 11 [0062.806] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.806] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.806] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0062.807] lstrcpyW (in: lpString1=0x19f3ac, lpString2="OfficeClickToRun.exe" | out: lpString1="OfficeClickToRun.exe") returned="OfficeClickToRun.exe" [0062.807] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0062.807] CharUpperBuffW (in: lpsz="OfficeClickToRun.exe", cchLength=0x14 | out: lpsz="OFFICECLICKTORUN.EXE") returned 0x14 [0062.807] lstrcmpW (lpString1="OFFICECLICKTORUN.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.807] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x678, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.807] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.807] lstrlenW (lpString="svchost.exe") returned 11 [0062.807] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.807] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.807] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x704, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0062.808] lstrcpyW (in: lpString1=0x19f3ac, lpString2="sihost.exe" | out: lpString1="sihost.exe") returned="sihost.exe" [0062.808] lstrlenW (lpString="sihost.exe") returned 10 [0062.808] CharUpperBuffW (in: lpsz="sihost.exe", cchLength=0xa | out: lpsz="SIHOST.EXE") returned 0xa [0062.808] lstrcmpW (lpString1="SIHOST.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.808] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x77c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0062.809] lstrcpyW (in: lpString1=0x19f3ac, lpString2="taskhostw.exe" | out: lpString1="taskhostw.exe") returned="taskhostw.exe" [0062.809] lstrlenW (lpString="taskhostw.exe") returned 13 [0062.809] CharUpperBuffW (in: lpsz="taskhostw.exe", cchLength=0xd | out: lpsz="TASKHOSTW.EXE") returned 0xd [0062.809] lstrcmpW (lpString1="TASKHOSTW.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.809] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x38, th32ParentProcessID=0x4c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0062.809] lstrcpyW (in: lpString1=0x19f3ac, lpString2="explorer.exe" | out: lpString1="explorer.exe") returned="explorer.exe" [0062.809] lstrlenW (lpString="explorer.exe") returned 12 [0062.809] CharUpperBuffW (in: lpsz="explorer.exe", cchLength=0xc | out: lpsz="EXPLORER.EXE") returned 0xc [0062.809] lstrcmpW (lpString1="EXPLORER.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.809] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0062.810] lstrcpyW (in: lpString1=0x19f3ac, lpString2="RuntimeBroker.exe" | out: lpString1="RuntimeBroker.exe") returned="RuntimeBroker.exe" [0062.810] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0062.810] CharUpperBuffW (in: lpsz="RuntimeBroker.exe", cchLength=0x11 | out: lpsz="RUNTIMEBROKER.EXE") returned 0x11 [0062.810] lstrcmpW (lpString1="RUNTIMEBROKER.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.810] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2c, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0062.811] lstrcpyW (in: lpString1=0x19f3ac, lpString2="ShellExperienceHost.exe" | out: lpString1="ShellExperienceHost.exe") returned="ShellExperienceHost.exe" [0062.811] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0062.811] CharUpperBuffW (in: lpsz="ShellExperienceHost.exe", cchLength=0x17 | out: lpsz="SHELLEXPERIENCEHOST.EXE") returned 0x17 [0062.811] lstrcmpW (lpString1="SHELLEXPERIENCEHOST.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.811] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0062.811] lstrcpyW (in: lpString1=0x19f3ac, lpString2="SearchUI.exe" | out: lpString1="SearchUI.exe") returned="SearchUI.exe" [0062.811] lstrlenW (lpString="SearchUI.exe") returned 12 [0062.811] CharUpperBuffW (in: lpsz="SearchUI.exe", cchLength=0xc | out: lpsz="SEARCHUI.EXE") returned 0xc [0062.811] lstrcmpW (lpString1="SEARCHUI.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.811] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0062.812] lstrcpyW (in: lpString1=0x19f3ac, lpString2="backgroundTaskHost.exe" | out: lpString1="backgroundTaskHost.exe") returned="backgroundTaskHost.exe" [0062.812] lstrlenW (lpString="backgroundTaskHost.exe") returned 22 [0062.812] CharUpperBuffW (in: lpsz="backgroundTaskHost.exe", cchLength=0x16 | out: lpsz="BACKGROUNDTASKHOST.EXE") returned 0x16 [0062.812] lstrcmpW (lpString1="BACKGROUNDTASKHOST.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.812] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x754, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0062.813] lstrcpyW (in: lpString1=0x19f3ac, lpString2="backgroundTaskHost.exe" | out: lpString1="backgroundTaskHost.exe") returned="backgroundTaskHost.exe" [0062.813] lstrlenW (lpString="backgroundTaskHost.exe") returned 22 [0062.813] CharUpperBuffW (in: lpsz="backgroundTaskHost.exe", cchLength=0x16 | out: lpsz="BACKGROUNDTASKHOST.EXE") returned 0x16 [0062.813] lstrcmpW (lpString1="BACKGROUNDTASKHOST.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.813] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="commandsxeroxrelationship.exe")) returned 1 [0062.814] lstrcpyW (in: lpString1=0x19f3ac, lpString2="commandsxeroxrelationship.exe" | out: lpString1="commandsxeroxrelationship.exe") returned="commandsxeroxrelationship.exe" [0062.814] lstrlenW (lpString="commandsxeroxrelationship.exe") returned 29 [0062.814] CharUpperBuffW (in: lpsz="commandsxeroxrelationship.exe", cchLength=0x1d | out: lpsz="COMMANDSXEROXRELATIONSHIP.EXE") returned 0x1d [0062.814] lstrcmpW (lpString1="COMMANDSXEROXRELATIONSHIP.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.814] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="terminal recorder.exe")) returned 1 [0062.814] lstrcpyW (in: lpString1=0x19f3ac, lpString2="terminal recorder.exe" | out: lpString1="terminal recorder.exe") returned="terminal recorder.exe" [0062.814] lstrlenW (lpString="terminal recorder.exe") returned 21 [0062.814] CharUpperBuffW (in: lpsz="terminal recorder.exe", cchLength=0x15 | out: lpsz="TERMINAL RECORDER.EXE") returned 0x15 [0062.814] lstrcmpW (lpString1="TERMINAL RECORDER.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.814] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explaining.exe")) returned 1 [0062.815] lstrcpyW (in: lpString1=0x19f3ac, lpString2="explaining.exe" | out: lpString1="explaining.exe") returned="explaining.exe" [0062.815] lstrlenW (lpString="explaining.exe") returned 14 [0062.815] CharUpperBuffW (in: lpsz="explaining.exe", cchLength=0xe | out: lpsz="EXPLAINING.EXE") returned 0xe [0062.815] lstrcmpW (lpString1="EXPLAINING.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.815] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ham.exe")) returned 1 [0062.815] lstrcpyW (in: lpString1=0x19f3ac, lpString2="ham.exe" | out: lpString1="ham.exe") returned="ham.exe" [0062.815] lstrlenW (lpString="ham.exe") returned 7 [0062.815] CharUpperBuffW (in: lpsz="ham.exe", cchLength=0x7 | out: lpsz="HAM.EXE") returned 0x7 [0062.815] lstrcmpW (lpString1="HAM.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.815] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x264, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="controllers_producing_shoe.exe")) returned 1 [0062.816] lstrcpyW (in: lpString1=0x19f3ac, lpString2="controllers_producing_shoe.exe" | out: lpString1="controllers_producing_shoe.exe") returned="controllers_producing_shoe.exe" [0062.816] lstrlenW (lpString="controllers_producing_shoe.exe") returned 30 [0062.816] CharUpperBuffW (in: lpsz="controllers_producing_shoe.exe", cchLength=0x1e | out: lpsz="CONTROLLERS_PRODUCING_SHOE.EXE") returned 0x1e [0062.816] lstrcmpW (lpString1="CONTROLLERS_PRODUCING_SHOE.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.816] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x710, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="recommendation-jack-accepting.exe")) returned 1 [0062.817] lstrcpyW (in: lpString1=0x19f3ac, lpString2="recommendation-jack-accepting.exe" | out: lpString1="recommendation-jack-accepting.exe") returned="recommendation-jack-accepting.exe" [0062.817] lstrlenW (lpString="recommendation-jack-accepting.exe") returned 33 [0062.817] CharUpperBuffW (in: lpsz="recommendation-jack-accepting.exe", cchLength=0x21 | out: lpsz="RECOMMENDATION-JACK-ACCEPTING.EXE") returned 0x21 [0062.817] lstrcmpW (lpString1="RECOMMENDATION-JACK-ACCEPTING.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.817] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vbles.exe")) returned 1 [0062.817] lstrcpyW (in: lpString1=0x19f3ac, lpString2="vbles.exe" | out: lpString1="vbles.exe") returned="vbles.exe" [0062.817] lstrlenW (lpString="vbles.exe") returned 9 [0062.817] CharUpperBuffW (in: lpsz="vbles.exe", cchLength=0x9 | out: lpsz="VBLES.EXE") returned 0x9 [0062.817] lstrcmpW (lpString1="VBLES.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.817] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xadc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="hazardsbusinessacrobat.exe")) returned 1 [0062.818] lstrcpyW (in: lpString1=0x19f3ac, lpString2="hazardsbusinessacrobat.exe" | out: lpString1="hazardsbusinessacrobat.exe") returned="hazardsbusinessacrobat.exe" [0062.818] lstrlenW (lpString="hazardsbusinessacrobat.exe") returned 26 [0062.818] CharUpperBuffW (in: lpsz="hazardsbusinessacrobat.exe", cchLength=0x1a | out: lpsz="HAZARDSBUSINESSACROBAT.EXE") returned 0x1a [0062.818] lstrcmpW (lpString1="HAZARDSBUSINESSACROBAT.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.818] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="needs-radar-underground.exe")) returned 1 [0062.818] lstrcpyW (in: lpString1=0x19f3ac, lpString2="needs-radar-underground.exe" | out: lpString1="needs-radar-underground.exe") returned="needs-radar-underground.exe" [0062.818] lstrlenW (lpString="needs-radar-underground.exe") returned 27 [0062.818] CharUpperBuffW (in: lpsz="needs-radar-underground.exe", cchLength=0x1b | out: lpsz="NEEDS-RADAR-UNDERGROUND.EXE") returned 0x1b [0062.818] lstrcmpW (lpString1="NEEDS-RADAR-UNDERGROUND.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.818] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="inventory.exe")) returned 1 [0062.819] lstrcpyW (in: lpString1=0x19f3ac, lpString2="inventory.exe" | out: lpString1="inventory.exe") returned="inventory.exe" [0062.819] lstrlenW (lpString="inventory.exe") returned 13 [0062.819] CharUpperBuffW (in: lpsz="inventory.exe", cchLength=0xd | out: lpsz="INVENTORY.EXE") returned 0xd [0062.819] lstrcmpW (lpString1="INVENTORY.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.819] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="castle.exe")) returned 1 [0062.819] lstrcpyW (in: lpString1=0x19f3ac, lpString2="castle.exe" | out: lpString1="castle.exe") returned="castle.exe" [0062.819] lstrlenW (lpString="castle.exe") returned 10 [0062.820] CharUpperBuffW (in: lpsz="castle.exe", cchLength=0xa | out: lpsz="CASTLE.EXE") returned 0xa [0062.820] lstrcmpW (lpString1="CASTLE.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.820] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="decorative_wit_bikes.exe")) returned 1 [0062.820] lstrcpyW (in: lpString1=0x19f3ac, lpString2="decorative_wit_bikes.exe" | out: lpString1="decorative_wit_bikes.exe") returned="decorative_wit_bikes.exe" [0062.820] lstrlenW (lpString="decorative_wit_bikes.exe") returned 24 [0062.820] CharUpperBuffW (in: lpsz="decorative_wit_bikes.exe", cchLength=0x18 | out: lpsz="DECORATIVE_WIT_BIKES.EXE") returned 0x18 [0062.820] lstrcmpW (lpString1="DECORATIVE_WIT_BIKES.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.820] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pipes reaches processing.exe")) returned 1 [0062.821] lstrcpyW (in: lpString1=0x19f3ac, lpString2="pipes reaches processing.exe" | out: lpString1="pipes reaches processing.exe") returned="pipes reaches processing.exe" [0062.821] lstrlenW (lpString="pipes reaches processing.exe") returned 28 [0062.821] CharUpperBuffW (in: lpsz="pipes reaches processing.exe", cchLength=0x1c | out: lpsz="PIPES REACHES PROCESSING.EXE") returned 0x1c [0062.821] lstrcmpW (lpString1="PIPES REACHES PROCESSING.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.821] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x948, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="regulatory_chevy.exe")) returned 1 [0062.821] lstrcpyW (in: lpString1=0x19f3ac, lpString2="regulatory_chevy.exe" | out: lpString1="regulatory_chevy.exe") returned="regulatory_chevy.exe" [0062.821] lstrlenW (lpString="regulatory_chevy.exe") returned 20 [0062.821] CharUpperBuffW (in: lpsz="regulatory_chevy.exe", cchLength=0x14 | out: lpsz="REGULATORY_CHEVY.EXE") returned 0x14 [0062.821] lstrcmpW (lpString1="REGULATORY_CHEVY.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.821] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="baseball.exe")) returned 1 [0062.822] lstrcpyW (in: lpString1=0x19f3ac, lpString2="baseball.exe" | out: lpString1="baseball.exe") returned="baseball.exe" [0062.822] lstrlenW (lpString="baseball.exe") returned 12 [0062.822] CharUpperBuffW (in: lpsz="baseball.exe", cchLength=0xc | out: lpsz="BASEBALL.EXE") returned 0xc [0062.822] lstrcmpW (lpString1="BASEBALL.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.822] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="beginners.exe")) returned 1 [0062.823] lstrcpyW (in: lpString1=0x19f3ac, lpString2="beginners.exe" | out: lpString1="beginners.exe") returned="beginners.exe" [0062.823] lstrlenW (lpString="beginners.exe") returned 13 [0062.823] CharUpperBuffW (in: lpsz="beginners.exe", cchLength=0xd | out: lpsz="BEGINNERS.EXE") returned 0xd [0062.823] lstrcmpW (lpString1="BEGINNERS.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.823] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x63c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tank-specialties-facial.exe")) returned 1 [0062.824] lstrcpyW (in: lpString1=0x19f3ac, lpString2="tank-specialties-facial.exe" | out: lpString1="tank-specialties-facial.exe") returned="tank-specialties-facial.exe" [0062.824] lstrlenW (lpString="tank-specialties-facial.exe") returned 27 [0062.824] CharUpperBuffW (in: lpsz="tank-specialties-facial.exe", cchLength=0x1b | out: lpsz="TANK-SPECIALTIES-FACIAL.EXE") returned 0x1b [0062.824] lstrcmpW (lpString1="TANK-SPECIALTIES-FACIAL.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.824] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="korea.exe")) returned 1 [0062.824] lstrcpyW (in: lpString1=0x19f3ac, lpString2="korea.exe" | out: lpString1="korea.exe") returned="korea.exe" [0062.824] lstrlenW (lpString="korea.exe") returned 9 [0062.824] CharUpperBuffW (in: lpsz="korea.exe", cchLength=0x9 | out: lpsz="KOREA.EXE") returned 0x9 [0062.824] lstrcmpW (lpString1="KOREA.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.824] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="article_unusual.exe")) returned 1 [0062.825] lstrcpyW (in: lpString1=0x19f3ac, lpString2="article_unusual.exe" | out: lpString1="article_unusual.exe") returned="article_unusual.exe" [0062.825] lstrlenW (lpString="article_unusual.exe") returned 19 [0062.825] CharUpperBuffW (in: lpsz="article_unusual.exe", cchLength=0x13 | out: lpsz="ARTICLE_UNUSUAL.EXE") returned 0x13 [0062.825] lstrcmpW (lpString1="ARTICLE_UNUSUAL.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.825] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tokyo.exe")) returned 1 [0062.825] lstrcpyW (in: lpString1=0x19f3ac, lpString2="tokyo.exe" | out: lpString1="tokyo.exe") returned="tokyo.exe" [0062.825] lstrlenW (lpString="tokyo.exe") returned 9 [0062.825] CharUpperBuffW (in: lpsz="tokyo.exe", cchLength=0x9 | out: lpsz="TOKYO.EXE") returned 0x9 [0062.825] lstrcmpW (lpString1="TOKYO.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.825] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0062.826] lstrcpyW (in: lpString1=0x19f3ac, lpString2="audiodg.exe" | out: lpString1="audiodg.exe") returned="audiodg.exe" [0062.826] lstrlenW (lpString="audiodg.exe") returned 11 [0062.826] CharUpperBuffW (in: lpsz="audiodg.exe", cchLength=0xb | out: lpsz="AUDIODG.EXE") returned 0xb [0062.826] lstrcmpW (lpString1="AUDIODG.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.826] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tcpsov.exe")) returned 1 [0062.826] lstrcpyW (in: lpString1=0x19f3ac, lpString2="tcpsov.exe" | out: lpString1="tcpsov.exe") returned="tcpsov.exe" [0062.827] lstrlenW (lpString="tcpsov.exe") returned 10 [0062.827] CharUpperBuffW (in: lpsz="tcpsov.exe", cchLength=0xa | out: lpsz="TCPSOV.EXE") returned 0xa [0062.827] lstrcmpW (lpString1="TCPSOV.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.827] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0062.827] lstrcpyW (in: lpString1=0x19f3ac, lpString2="dllhost.exe" | out: lpString1="dllhost.exe") returned="dllhost.exe" [0062.827] lstrlenW (lpString="dllhost.exe") returned 11 [0062.827] CharUpperBuffW (in: lpsz="dllhost.exe", cchLength=0xb | out: lpsz="DLLHOST.EXE") returned 0xb [0062.827] lstrcmpW (lpString1="DLLHOST.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.827] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.828] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.828] lstrlenW (lpString="svchost.exe") returned 11 [0062.828] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.828] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="AGNTSV.EXE") returned 1 [0062.828] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0062.828] CloseHandle (hObject=0x18c) returned 1 [0062.828] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0062.831] lstrcpyW (in: lpString1=0x19f5b4, lpString2="mysqld-opt.exe" | out: lpString1="mysqld-opt.exe") returned="mysqld-opt.exe" [0062.831] lstrlenW (lpString="mysqld-opt.exe") returned 14 [0062.831] CharUpperBuffW (in: lpsz="mysqld-opt.exe", cchLength=0xe | out: lpsz="MYSQLD-OPT.EXE") returned 0xe [0062.831] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0062.832] lstrcpyW (in: lpString1=0x19f3ac, lpString2="[System Process]" | out: lpString1="[System Process]") returned="[System Process]" [0062.832] lstrlenW (lpString="[System Process]") returned 16 [0062.832] CharUpperBuffW (in: lpsz="[System Process]", cchLength=0x10 | out: lpsz="[SYSTEM PROCESS]") returned 0x10 [0062.832] lstrcmpW (lpString1="[SYSTEM PROCESS]", lpString2="MYSQLD-OPT.EXE") returned -1 [0062.832] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x69, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0062.832] lstrcpyW (in: lpString1=0x19f3ac, lpString2="System" | out: lpString1="System") returned="System" [0062.832] lstrlenW (lpString="System") returned 6 [0062.832] CharUpperBuffW (in: lpsz="System", cchLength=0x6 | out: lpsz="SYSTEM") returned 0x6 [0062.832] lstrcmpW (lpString1="SYSTEM", lpString2="MYSQLD-OPT.EXE") returned 1 [0062.832] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0062.833] lstrcpyW (in: lpString1=0x19f3ac, lpString2="smss.exe" | out: lpString1="smss.exe") returned="smss.exe" [0062.833] lstrlenW (lpString="smss.exe") returned 8 [0062.833] CharUpperBuffW (in: lpsz="smss.exe", cchLength=0x8 | out: lpsz="SMSS.EXE") returned 0x8 [0062.833] lstrcmpW (lpString1="SMSS.EXE", lpString2="MYSQLD-OPT.EXE") returned 1 [0062.833] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x154, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0062.834] lstrcpyW (in: lpString1=0x19f3ac, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0062.834] lstrlenW (lpString="csrss.exe") returned 9 [0062.834] CharUpperBuffW (in: lpsz="csrss.exe", cchLength=0x9 | out: lpsz="CSRSS.EXE") returned 0x9 [0062.834] lstrcmpW (lpString1="CSRSS.EXE", lpString2="MYSQLD-OPT.EXE") returned -1 [0062.834] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0062.834] lstrcpyW (in: lpString1=0x19f3ac, lpString2="wininit.exe" | out: lpString1="wininit.exe") returned="wininit.exe" [0062.834] lstrlenW (lpString="wininit.exe") returned 11 [0062.834] CharUpperBuffW (in: lpsz="wininit.exe", cchLength=0xb | out: lpsz="WININIT.EXE") returned 0xb [0062.834] lstrcmpW (lpString1="WININIT.EXE", lpString2="MYSQLD-OPT.EXE") returned 1 [0062.834] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0062.835] lstrcpyW (in: lpString1=0x19f3ac, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0062.835] lstrlenW (lpString="csrss.exe") returned 9 [0062.835] CharUpperBuffW (in: lpsz="csrss.exe", cchLength=0x9 | out: lpsz="CSRSS.EXE") returned 0x9 [0062.835] lstrcmpW (lpString1="CSRSS.EXE", lpString2="MYSQLD-OPT.EXE") returned -1 [0062.835] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0062.835] lstrcpyW (in: lpString1=0x19f3ac, lpString2="winlogon.exe" | out: lpString1="winlogon.exe") returned="winlogon.exe" [0062.835] lstrlenW (lpString="winlogon.exe") returned 12 [0062.835] CharUpperBuffW (in: lpsz="winlogon.exe", cchLength=0xc | out: lpsz="WINLOGON.EXE") returned 0xc [0062.835] lstrcmpW (lpString1="WINLOGON.EXE", lpString2="MYSQLD-OPT.EXE") returned 1 [0062.835] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0062.836] lstrcpyW (in: lpString1=0x19f3ac, lpString2="services.exe" | out: lpString1="services.exe") returned="services.exe" [0062.836] lstrlenW (lpString="services.exe") returned 12 [0062.836] CharUpperBuffW (in: lpsz="services.exe", cchLength=0xc | out: lpsz="SERVICES.EXE") returned 0xc [0062.836] lstrcmpW (lpString1="SERVICES.EXE", lpString2="MYSQLD-OPT.EXE") returned 1 [0062.836] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0062.836] lstrcpyW (in: lpString1=0x19f3ac, lpString2="lsass.exe" | out: lpString1="lsass.exe") returned="lsass.exe" [0062.836] lstrlenW (lpString="lsass.exe") returned 9 [0062.837] CharUpperBuffW (in: lpsz="lsass.exe", cchLength=0x9 | out: lpsz="LSASS.EXE") returned 0x9 [0062.837] lstrcmpW (lpString1="LSASS.EXE", lpString2="MYSQLD-OPT.EXE") returned -1 [0062.837] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.837] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.837] lstrlenW (lpString="svchost.exe") returned 11 [0062.837] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.837] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="MYSQLD-OPT.EXE") returned 1 [0062.837] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.838] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.838] lstrlenW (lpString="svchost.exe") returned 11 [0062.838] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.838] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="MYSQLD-OPT.EXE") returned 1 [0062.838] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1cc, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0062.839] lstrcpyW (in: lpString1=0x19f3ac, lpString2="dwm.exe" | out: lpString1="dwm.exe") returned="dwm.exe" [0062.839] lstrlenW (lpString="dwm.exe") returned 7 [0062.839] CharUpperBuffW (in: lpsz="dwm.exe", cchLength=0x7 | out: lpsz="DWM.EXE") returned 0x7 [0062.839] lstrcmpW (lpString1="DWM.EXE", lpString2="MYSQLD-OPT.EXE") returned -1 [0062.839] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x47, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.839] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.839] lstrlenW (lpString="svchost.exe") returned 11 [0062.839] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.839] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="MYSQLD-OPT.EXE") returned 1 [0062.839] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.840] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.840] lstrlenW (lpString="svchost.exe") returned 11 [0062.840] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.840] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="MYSQLD-OPT.EXE") returned 1 [0062.840] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.841] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.841] lstrlenW (lpString="svchost.exe") returned 11 [0062.841] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.841] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="MYSQLD-OPT.EXE") returned 1 [0062.841] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.841] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.841] lstrlenW (lpString="svchost.exe") returned 11 [0062.841] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.841] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="MYSQLD-OPT.EXE") returned 1 [0062.841] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x398, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.842] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.842] lstrlenW (lpString="svchost.exe") returned 11 [0062.842] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.842] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="MYSQLD-OPT.EXE") returned 1 [0062.842] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.842] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.842] lstrlenW (lpString="svchost.exe") returned 11 [0062.843] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.843] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="MYSQLD-OPT.EXE") returned 1 [0062.843] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0062.843] lstrcpyW (in: lpString1=0x19f3ac, lpString2="spoolsv.exe" | out: lpString1="spoolsv.exe") returned="spoolsv.exe" [0062.843] lstrlenW (lpString="spoolsv.exe") returned 11 [0062.843] CharUpperBuffW (in: lpsz="spoolsv.exe", cchLength=0xb | out: lpsz="SPOOLSV.EXE") returned 0xb [0062.843] lstrcmpW (lpString1="SPOOLSV.EXE", lpString2="MYSQLD-OPT.EXE") returned 1 [0062.843] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.844] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.844] lstrlenW (lpString="svchost.exe") returned 11 [0062.844] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.844] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="MYSQLD-OPT.EXE") returned 1 [0062.844] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.845] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.845] lstrlenW (lpString="svchost.exe") returned 11 [0062.845] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.845] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="MYSQLD-OPT.EXE") returned 1 [0062.845] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0062.845] lstrcpyW (in: lpString1=0x19f3ac, lpString2="OfficeClickToRun.exe" | out: lpString1="OfficeClickToRun.exe") returned="OfficeClickToRun.exe" [0062.845] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0062.845] CharUpperBuffW (in: lpsz="OfficeClickToRun.exe", cchLength=0x14 | out: lpsz="OFFICECLICKTORUN.EXE") returned 0x14 [0062.845] lstrcmpW (lpString1="OFFICECLICKTORUN.EXE", lpString2="MYSQLD-OPT.EXE") returned 1 [0062.845] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x678, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0062.846] lstrcpyW (in: lpString1=0x19f3ac, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0062.846] lstrlenW (lpString="svchost.exe") returned 11 [0062.846] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0062.846] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="MYSQLD-OPT.EXE") returned 1 [0062.846] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x704, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0062.846] lstrcpyW (in: lpString1=0x19f3ac, lpString2="sihost.exe" | out: lpString1="sihost.exe") returned="sihost.exe" [0062.846] lstrlenW (lpString="sihost.exe") returned 10 [0062.846] CharUpperBuffW (in: lpsz="sihost.exe", cchLength=0xa | out: lpsz="SIHOST.EXE") returned 0xa [0062.847] lstrcmpW (lpString1="SIHOST.EXE", lpString2="MYSQLD-OPT.EXE") returned 1 [0062.847] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x77c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0062.847] lstrcpyW (in: lpString1=0x19f3ac, lpString2="taskhostw.exe" | out: lpString1="taskhostw.exe") returned="taskhostw.exe" [0062.847] lstrlenW (lpString="taskhostw.exe") returned 13 [0062.847] CharUpperBuffW (in: lpsz="taskhostw.exe", cchLength=0xd | out: lpsz="TASKHOSTW.EXE") returned 0xd [0062.847] lstrcmpW (lpString1="TASKHOSTW.EXE", lpString2="MYSQLD-OPT.EXE") returned 1 [0062.847] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x38, th32ParentProcessID=0x4c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0062.848] lstrcpyW (in: lpString1=0x19f3ac, lpString2="explorer.exe" | out: lpString1="explorer.exe") returned="explorer.exe" [0062.848] lstrlenW (lpString="explorer.exe") returned 12 [0062.848] CharUpperBuffW (in: lpsz="explorer.exe", cchLength=0xc | out: lpsz="EXPLORER.EXE") returned 0xc [0062.848] lstrcmpW (lpString1="EXPLORER.EXE", lpString2="MYSQLD-OPT.EXE") returned -1 [0062.848] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0062.848] lstrcpyW (in: lpString1=0x19f3ac, lpString2="RuntimeBroker.exe" | out: lpString1="RuntimeBroker.exe") returned="RuntimeBroker.exe" [0062.848] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0062.848] CharUpperBuffW (in: lpsz="RuntimeBroker.exe", cchLength=0x11 | out: lpsz="RUNTIMEBROKER.EXE") returned 0x11 [0062.848] lstrcmpW (lpString1="RUNTIMEBROKER.EXE", lpString2="MYSQLD-OPT.EXE") returned 1 [0062.848] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2c, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0062.849] lstrcpyW (in: lpString1=0x19f3ac, lpString2="ShellExperienceHost.exe" | out: lpString1="ShellExperienceHost.exe") returned="ShellExperienceHost.exe" [0062.849] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0062.849] CharUpperBuffW (in: lpsz="ShellExperienceHost.exe", cchLength=0x17 | out: lpsz="SHELLEXPERIENCEHOST.EXE") returned 0x17 [0062.849] lstrcmpW (lpString1="SHELLEXPERIENCEHOST.EXE", lpString2="MYSQLD-OPT.EXE") returned 1 [0062.849] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0062.849] lstrcpyW (in: lpString1=0x19f3ac, lpString2="SearchUI.exe" | out: lpString1="SearchUI.exe") returned="SearchUI.exe" [0062.849] lstrlenW (lpString="SearchUI.exe") returned 12 [0062.849] CharUpperBuffW (in: lpsz="SearchUI.exe", cchLength=0xc | out: lpsz="SEARCHUI.EXE") returned 0xc [0062.850] lstrcmpW (lpString1="SEARCHUI.EXE", lpString2="MYSQLD-OPT.EXE") returned 1 [0062.850] Process32NextW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0062.859] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0062.862] lstrcpyW (in: lpString1=0x19f5b4, lpString2="tbirdonfig.exe" | out: lpString1="tbirdonfig.exe") returned="tbirdonfig.exe" [0062.862] lstrlenW (lpString="tbirdonfig.exe") returned 14 [0062.862] CharUpperBuffW (in: lpsz="tbirdonfig.exe", cchLength=0xe | out: lpsz="TBIRDONFIG.EXE") returned 0xe [0062.862] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0062.881] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0062.884] lstrcpyW (in: lpString1=0x19f5b4, lpString2="dbeng50.exe" | out: lpString1="dbeng50.exe") returned="dbeng50.exe" [0062.884] lstrlenW (lpString="dbeng50.exe") returned 11 [0062.884] CharUpperBuffW (in: lpsz="dbeng50.exe", cchLength=0xb | out: lpsz="DBENG50.EXE") returned 0xb [0062.884] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0062.956] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0062.959] lstrcpyW (in: lpString1=0x19f5b4, lpString2="oautoupds.exe" | out: lpString1="oautoupds.exe") returned="oautoupds.exe" [0062.959] lstrlenW (lpString="oautoupds.exe") returned 13 [0062.959] CharUpperBuffW (in: lpsz="oautoupds.exe", cchLength=0xd | out: lpsz="OAUTOUPDS.EXE") returned 0xd [0062.959] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0062.977] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0062.982] lstrcpyW (in: lpString1=0x19f5b4, lpString2="thebat.exe" | out: lpString1="thebat.exe") returned="thebat.exe" [0062.982] lstrlenW (lpString="thebat.exe") returned 10 [0062.982] CharUpperBuffW (in: lpsz="thebat.exe", cchLength=0xa | out: lpsz="THEBAT.EXE") returned 0xa [0062.982] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.000] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0063.003] lstrcpyW (in: lpString1=0x19f5b4, lpString2="dbsnmp.exe" | out: lpString1="dbsnmp.exe") returned="dbsnmp.exe" [0063.003] lstrlenW (lpString="dbsnmp.exe") returned 10 [0063.003] CharUpperBuffW (in: lpsz="dbsnmp.exe", cchLength=0xa | out: lpsz="DBSNMP.EXE") returned 0xa [0063.003] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.021] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0063.024] lstrcpyW (in: lpString1=0x19f5b4, lpString2="oomm.exe" | out: lpString1="oomm.exe") returned="oomm.exe" [0063.024] lstrlenW (lpString="oomm.exe") returned 8 [0063.024] CharUpperBuffW (in: lpsz="oomm.exe", cchLength=0x8 | out: lpsz="OOMM.EXE") returned 0x8 [0063.024] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.044] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0063.047] lstrcpyW (in: lpString1=0x19f5b4, lpString2="thebat64.exe" | out: lpString1="thebat64.exe") returned="thebat64.exe" [0063.047] lstrlenW (lpString="thebat64.exe") returned 12 [0063.047] CharUpperBuffW (in: lpsz="thebat64.exe", cchLength=0xc | out: lpsz="THEBAT64.EXE") returned 0xc [0063.047] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.064] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0063.067] lstrcpyW (in: lpString1=0x19f5b4, lpString2="ensv.exe" | out: lpString1="ensv.exe") returned="ensv.exe" [0063.067] lstrlenW (lpString="ensv.exe") returned 8 [0063.067] CharUpperBuffW (in: lpsz="ensv.exe", cchLength=0x8 | out: lpsz="ENSV.EXE") returned 0x8 [0063.067] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.085] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0063.088] lstrcpyW (in: lpString1=0x19f5b4, lpString2="ossd.exe" | out: lpString1="ossd.exe") returned="ossd.exe" [0063.088] lstrlenW (lpString="ossd.exe") returned 8 [0063.088] CharUpperBuffW (in: lpsz="ossd.exe", cchLength=0x8 | out: lpsz="OSSD.EXE") returned 0x8 [0063.088] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.107] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0063.110] lstrcpyW (in: lpString1=0x19f5b4, lpString2="thunderbird.exe" | out: lpString1="thunderbird.exe") returned="thunderbird.exe" [0063.110] lstrlenW (lpString="thunderbird.exe") returned 15 [0063.110] CharUpperBuffW (in: lpsz="thunderbird.exe", cchLength=0xf | out: lpsz="THUNDERBIRD.EXE") returned 0xf [0063.110] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.128] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0063.130] lstrcpyW (in: lpString1=0x19f5b4, lpString2="exel.exe" | out: lpString1="exel.exe") returned="exel.exe" [0063.130] lstrlenW (lpString="exel.exe") returned 8 [0063.130] CharUpperBuffW (in: lpsz="exel.exe", cchLength=0x8 | out: lpsz="EXEL.EXE") returned 0x8 [0063.130] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.149] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0063.153] lstrcpyW (in: lpString1=0x19f5b4, lpString2="onenote.exe" | out: lpString1="onenote.exe") returned="onenote.exe" [0063.153] lstrlenW (lpString="onenote.exe") returned 11 [0063.153] CharUpperBuffW (in: lpsz="onenote.exe", cchLength=0xb | out: lpsz="ONENOTE.EXE") returned 0xb [0063.153] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.173] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0063.175] lstrcpyW (in: lpString1=0x19f5b4, lpString2="visio.exe" | out: lpString1="visio.exe") returned="visio.exe" [0063.176] lstrlenW (lpString="visio.exe") returned 9 [0063.176] CharUpperBuffW (in: lpsz="visio.exe", cchLength=0x9 | out: lpsz="VISIO.EXE") returned 0x9 [0063.176] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.193] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0063.196] lstrcpyW (in: lpString1=0x19f5b4, lpString2="firefoxonfig.exe" | out: lpString1="firefoxonfig.exe") returned="firefoxonfig.exe" [0063.196] lstrlenW (lpString="firefoxonfig.exe") returned 16 [0063.196] CharUpperBuffW (in: lpsz="firefoxonfig.exe", cchLength=0x10 | out: lpsz="FIREFOXONFIG.EXE") returned 0x10 [0063.196] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.215] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0063.218] lstrcpyW (in: lpString1=0x19f5b4, lpString2="orale.exe" | out: lpString1="orale.exe") returned="orale.exe" [0063.218] lstrlenW (lpString="orale.exe") returned 9 [0063.218] CharUpperBuffW (in: lpsz="orale.exe", cchLength=0x9 | out: lpsz="ORALE.EXE") returned 0x9 [0063.218] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.236] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0063.239] lstrcpyW (in: lpString1=0x19f5b4, lpString2="winword.exe" | out: lpString1="winword.exe") returned="winword.exe" [0063.239] lstrlenW (lpString="winword.exe") returned 11 [0063.239] CharUpperBuffW (in: lpsz="winword.exe", cchLength=0xb | out: lpsz="WINWORD.EXE") returned 0xb [0063.239] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.258] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0063.261] lstrcpyW (in: lpString1=0x19f5b4, lpString2="infopath.exe" | out: lpString1="infopath.exe") returned="infopath.exe" [0063.261] lstrlenW (lpString="infopath.exe") returned 12 [0063.261] CharUpperBuffW (in: lpsz="infopath.exe", cchLength=0xc | out: lpsz="INFOPATH.EXE") returned 0xc [0063.261] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.317] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0063.320] lstrcpyW (in: lpString1=0x19f5b4, lpString2="outlook.exe" | out: lpString1="outlook.exe") returned="outlook.exe" [0063.320] lstrlenW (lpString="outlook.exe") returned 11 [0063.320] CharUpperBuffW (in: lpsz="outlook.exe", cchLength=0xb | out: lpsz="OUTLOOK.EXE") returned 0xb [0063.321] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.339] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0063.342] lstrcpyW (in: lpString1=0x19f5b4, lpString2="wordpad.exe" | out: lpString1="wordpad.exe") returned="wordpad.exe" [0063.342] lstrlenW (lpString="wordpad.exe") returned 11 [0063.342] CharUpperBuffW (in: lpsz="wordpad.exe", cchLength=0xb | out: lpsz="WORDPAD.EXE") returned 0xb [0063.342] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.359] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0063.362] lstrcpyW (in: lpString1=0x19f5b4, lpString2="isqlplussv.exe" | out: lpString1="isqlplussv.exe") returned="isqlplussv.exe" [0063.362] lstrlenW (lpString="isqlplussv.exe") returned 14 [0063.362] CharUpperBuffW (in: lpsz="isqlplussv.exe", cchLength=0xe | out: lpsz="ISQLPLUSSV.EXE") returned 0xe [0063.362] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.380] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0063.383] lstrcpyW (in: lpString1=0x19f5b4, lpString2="powerpnt.exe" | out: lpString1="powerpnt.exe") returned="powerpnt.exe" [0063.383] lstrlenW (lpString="powerpnt.exe") returned 12 [0063.383] CharUpperBuffW (in: lpsz="powerpnt.exe", cchLength=0xc | out: lpsz="POWERPNT.EXE") returned 0xc [0063.383] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.402] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0063.406] lstrcpyW (in: lpString1=0x19f5b4, lpString2="xfssvon.exe" | out: lpString1="xfssvon.exe") returned="xfssvon.exe" [0063.406] lstrlenW (lpString="xfssvon.exe") returned 11 [0063.406] CharUpperBuffW (in: lpsz="xfssvon.exe", cchLength=0xb | out: lpsz="XFSSVON.EXE") returned 0xb [0063.406] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.429] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0063.433] lstrcpyW (in: lpString1=0x19f5b4, lpString2="msaess.exe" | out: lpString1="msaess.exe") returned="msaess.exe" [0063.433] lstrlenW (lpString="msaess.exe") returned 10 [0063.433] CharUpperBuffW (in: lpsz="msaess.exe", cchLength=0xa | out: lpsz="MSAESS.EXE") returned 0xa [0063.433] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.453] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0063.456] lstrcpyW (in: lpString1=0x19f5b4, lpString2="sqboreservie.exe" | out: lpString1="sqboreservie.exe") returned="sqboreservie.exe" [0063.456] lstrlenW (lpString="sqboreservie.exe") returned 16 [0063.457] CharUpperBuffW (in: lpsz="sqboreservie.exe", cchLength=0x10 | out: lpsz="SQBORESERVIE.EXE") returned 0x10 [0063.457] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.474] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0063.477] lstrcpyW (in: lpString1=0x19f5b4, lpString2="tmlisten.exe" | out: lpString1="tmlisten.exe") returned="tmlisten.exe" [0063.477] lstrlenW (lpString="tmlisten.exe") returned 12 [0063.477] CharUpperBuffW (in: lpsz="tmlisten.exe", cchLength=0xc | out: lpsz="TMLISTEN.EXE") returned 0xc [0063.477] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.494] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0063.497] lstrcpyW (in: lpString1=0x19f5b4, lpString2="msftesql.exe" | out: lpString1="msftesql.exe") returned="msftesql.exe" [0063.497] lstrlenW (lpString="msftesql.exe") returned 12 [0063.497] CharUpperBuffW (in: lpsz="msftesql.exe", cchLength=0xc | out: lpsz="MSFTESQL.EXE") returned 0xc [0063.497] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.515] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0063.518] lstrcpyW (in: lpString1=0x19f5b4, lpString2="sqlagent.exe" | out: lpString1="sqlagent.exe") returned="sqlagent.exe" [0063.518] lstrlenW (lpString="sqlagent.exe") returned 12 [0063.518] CharUpperBuffW (in: lpsz="sqlagent.exe", cchLength=0xc | out: lpsz="SQLAGENT.EXE") returned 0xc [0063.518] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.535] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0063.539] lstrcpyW (in: lpString1=0x19f5b4, lpString2="PNTMon.exe" | out: lpString1="PNTMon.exe") returned="PNTMon.exe" [0063.539] lstrlenW (lpString="PNTMon.exe") returned 10 [0063.539] CharUpperBuffW (in: lpsz="PNTMon.exe", cchLength=0xa | out: lpsz="PNTMON.EXE") returned 0xa [0063.539] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.556] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0063.559] lstrcpyW (in: lpString1=0x19f5b4, lpString2="mspub.exe" | out: lpString1="mspub.exe") returned="mspub.exe" [0063.559] lstrlenW (lpString="mspub.exe") returned 9 [0063.559] CharUpperBuffW (in: lpsz="mspub.exe", cchLength=0x9 | out: lpsz="MSPUB.EXE") returned 0x9 [0063.559] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.577] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0063.580] lstrcpyW (in: lpString1=0x19f5b4, lpString2="sqlbrowser.exe" | out: lpString1="sqlbrowser.exe") returned="sqlbrowser.exe" [0063.580] lstrlenW (lpString="sqlbrowser.exe") returned 14 [0063.580] CharUpperBuffW (in: lpsz="sqlbrowser.exe", cchLength=0xe | out: lpsz="SQLBROWSER.EXE") returned 0xe [0063.580] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.598] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0063.601] lstrcpyW (in: lpString1=0x19f5b4, lpString2="NTAoSMgr.exe" | out: lpString1="NTAoSMgr.exe") returned="NTAoSMgr.exe" [0063.601] lstrlenW (lpString="NTAoSMgr.exe") returned 12 [0063.601] CharUpperBuffW (in: lpsz="NTAoSMgr.exe", cchLength=0xc | out: lpsz="NTAOSMGR.EXE") returned 0xc [0063.601] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.625] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0063.629] lstrcpyW (in: lpString1=0x19f5b4, lpString2="mydesktopqos.exe" | out: lpString1="mydesktopqos.exe") returned="mydesktopqos.exe" [0063.629] lstrlenW (lpString="mydesktopqos.exe") returned 16 [0063.629] CharUpperBuffW (in: lpsz="mydesktopqos.exe", cchLength=0x10 | out: lpsz="MYDESKTOPQOS.EXE") returned 0x10 [0063.629] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.652] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0063.655] lstrcpyW (in: lpString1=0x19f5b4, lpString2="sqlservr.exe" | out: lpString1="sqlservr.exe") returned="sqlservr.exe" [0063.655] lstrlenW (lpString="sqlservr.exe") returned 12 [0063.655] CharUpperBuffW (in: lpsz="sqlservr.exe", cchLength=0xc | out: lpsz="SQLSERVR.EXE") returned 0xc [0063.655] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.673] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0063.676] lstrcpyW (in: lpString1=0x19f5b4, lpString2="Ntrtsan.exe" | out: lpString1="Ntrtsan.exe") returned="Ntrtsan.exe" [0063.676] lstrlenW (lpString="Ntrtsan.exe") returned 11 [0063.676] CharUpperBuffW (in: lpsz="Ntrtsan.exe", cchLength=0xb | out: lpsz="NTRTSAN.EXE") returned 0xb [0063.676] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.699] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0063.703] lstrcpyW (in: lpString1=0x19f5b4, lpString2="mydesktopservie.exe" | out: lpString1="mydesktopservie.exe") returned="mydesktopservie.exe" [0063.703] lstrlenW (lpString="mydesktopservie.exe") returned 19 [0063.703] CharUpperBuffW (in: lpsz="mydesktopservie.exe", cchLength=0x13 | out: lpsz="MYDESKTOPSERVIE.EXE") returned 0x13 [0063.703] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.724] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0063.727] lstrcpyW (in: lpString1=0x19f5b4, lpString2="sqlwriter.exe" | out: lpString1="sqlwriter.exe") returned="sqlwriter.exe" [0063.727] lstrlenW (lpString="sqlwriter.exe") returned 13 [0063.727] CharUpperBuffW (in: lpsz="sqlwriter.exe", cchLength=0xd | out: lpsz="SQLWRITER.EXE") returned 0xd [0063.727] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.745] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0063.748] lstrcpyW (in: lpString1=0x19f5b4, lpString2="mbamtray.exe" | out: lpString1="mbamtray.exe") returned="mbamtray.exe" [0063.748] lstrlenW (lpString="mbamtray.exe") returned 12 [0063.748] CharUpperBuffW (in: lpsz="mbamtray.exe", cchLength=0xc | out: lpsz="MBAMTRAY.EXE") returned 0xc [0063.748] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.774] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0063.777] lstrcpyW (in: lpString1=0x19f5b4, lpString2="mysqld.exe" | out: lpString1="mysqld.exe") returned="mysqld.exe" [0063.777] lstrlenW (lpString="mysqld.exe") returned 10 [0063.777] CharUpperBuffW (in: lpsz="mysqld.exe", cchLength=0xa | out: lpsz="MYSQLD.EXE") returned 0xa [0063.777] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.796] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0063.799] lstrcpyW (in: lpString1=0x19f5b4, lpString2="steam.exe" | out: lpString1="steam.exe") returned="steam.exe" [0063.799] lstrlenW (lpString="steam.exe") returned 9 [0063.799] CharUpperBuffW (in: lpsz="steam.exe", cchLength=0x9 | out: lpsz="STEAM.EXE") returned 0x9 [0063.799] Process32FirstW (in: hSnapshot=0x18c, lppe=0x19f180 | out: lppe=0x19f180*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.818] SetErrorMode (uMode=0x1) returned 0x0 [0063.818] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40d9f0, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x194 [0063.818] wsprintfW (in: param_1=0x19f9dc, param_2="%c:" | out: param_1="A:") returned 2 [0063.818] GetDriveTypeW (lpRootPathName="A:") returned 0x1 [0063.818] Sleep (dwMilliseconds=0x64) [0064.018] wsprintfW (in: param_1=0x19f9dc, param_2="%c:" | out: param_1="B:") returned 2 [0064.018] GetDriveTypeW (lpRootPathName="B:") returned 0x1 [0064.018] Sleep (dwMilliseconds=0x64) [0064.185] wsprintfW (in: param_1=0x19f9dc, param_2="%c:" | out: param_1="C:") returned 2 [0064.185] GetDriveTypeW (lpRootPathName="C:") returned 0x3 [0064.185] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40da20, lpParameter=0x19f9dc, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0064.185] Sleep (dwMilliseconds=0xa) [0064.197] Sleep (dwMilliseconds=0x64) [0064.307] wsprintfW (in: param_1=0x19f9dc, param_2="%c:" | out: param_1="D:") returned 2 [0064.307] GetDriveTypeW (lpRootPathName="D:") returned 0x1 [0064.307] Sleep (dwMilliseconds=0x64) [0064.427] wsprintfW (in: param_1=0x19f9dc, param_2="%c:" | out: param_1="E:") returned 2 [0064.427] GetDriveTypeW (lpRootPathName="E:") returned 0x1 [0064.428] Sleep (dwMilliseconds=0x64) [0064.602] wsprintfW (in: param_1=0x19f9dc, param_2="%c:" | out: param_1="F:") returned 2 [0064.602] GetDriveTypeW (lpRootPathName="F:") returned 0x1 [0064.602] Sleep (dwMilliseconds=0x64) [0064.713] wsprintfW (in: param_1=0x19f9dc, param_2="%c:" | out: param_1="G:") returned 2 [0064.713] GetDriveTypeW (lpRootPathName="G:") returned 0x1 [0064.713] Sleep (dwMilliseconds=0x64) [0064.822] wsprintfW (in: param_1=0x19f9dc, param_2="%c:" | out: param_1="H:") returned 2 [0064.822] GetDriveTypeW (lpRootPathName="H:") returned 0x1 [0064.822] Sleep (dwMilliseconds=0x64) [0064.932] wsprintfW (in: param_1=0x19f9dc, param_2="%c:" | out: param_1="I:") returned 2 [0064.932] GetDriveTypeW (lpRootPathName="I:") returned 0x1 [0064.932] Sleep (dwMilliseconds=0x64) [0065.041] wsprintfW (in: param_1=0x19f9dc, param_2="%c:" | out: param_1="J:") returned 2 [0065.041] GetDriveTypeW (lpRootPathName="J:") returned 0x1 [0065.041] Sleep (dwMilliseconds=0x64) [0065.150] wsprintfW (in: param_1=0x19f9dc, param_2="%c:" | out: param_1="K:") returned 2 [0065.150] GetDriveTypeW (lpRootPathName="K:") returned 0x1 [0065.151] Sleep (dwMilliseconds=0x64) [0065.260] wsprintfW (in: param_1=0x19f9dc, param_2="%c:" | out: param_1="L:") returned 2 [0065.260] GetDriveTypeW (lpRootPathName="L:") returned 0x1 [0065.260] Sleep (dwMilliseconds=0x64) [0065.369] wsprintfW (in: param_1=0x19f9dc, param_2="%c:" | out: param_1="M:") returned 2 [0065.369] GetDriveTypeW (lpRootPathName="M:") returned 0x1 [0065.369] Sleep (dwMilliseconds=0x64) [0065.491] wsprintfW (in: param_1=0x19f9dc, param_2="%c:" | out: param_1="N:") returned 2 [0065.491] GetDriveTypeW (lpRootPathName="N:") returned 0x1 [0065.491] Sleep (dwMilliseconds=0x64) [0065.632] wsprintfW (in: param_1=0x19f9dc, param_2="%c:" | out: param_1="O:") returned 2 [0065.632] GetDriveTypeW (lpRootPathName="O:") returned 0x1 [0065.632] Sleep (dwMilliseconds=0x64) [0065.850] wsprintfW (in: param_1=0x19f9dc, param_2="%c:" | out: param_1="P:") returned 2 [0065.850] GetDriveTypeW (lpRootPathName="P:") returned 0x1 [0065.850] Sleep (dwMilliseconds=0x64) [0065.963] wsprintfW (in: param_1=0x19f9dc, param_2="%c:" | out: param_1="Q:") returned 2 [0065.963] GetDriveTypeW (lpRootPathName="Q:") returned 0x1 [0065.964] Sleep (dwMilliseconds=0x64) [0066.076] wsprintfW (in: param_1=0x19f9dc, param_2="%c:" | out: param_1="R:") returned 2 [0066.076] GetDriveTypeW (lpRootPathName="R:") returned 0x1 [0066.076] Sleep (dwMilliseconds=0x64) [0066.243] wsprintfW (in: param_1=0x19f9dc, param_2="%c:" | out: param_1="S:") returned 2 [0066.243] GetDriveTypeW (lpRootPathName="S:") returned 0x1 [0066.243] Sleep (dwMilliseconds=0x64) [0066.357] wsprintfW (in: param_1=0x19f9dc, param_2="%c:" | out: param_1="T:") returned 2 [0066.357] GetDriveTypeW (lpRootPathName="T:") returned 0x1 [0066.357] Sleep (dwMilliseconds=0x64) [0066.463] wsprintfW (in: param_1=0x19f9dc, param_2="%c:" | out: param_1="U:") returned 2 [0066.464] GetDriveTypeW (lpRootPathName="U:") returned 0x1 [0066.464] Sleep (dwMilliseconds=0x64) [0066.572] wsprintfW (in: param_1=0x19f9dc, param_2="%c:" | out: param_1="V:") returned 2 [0066.572] GetDriveTypeW (lpRootPathName="V:") returned 0x1 [0066.573] Sleep (dwMilliseconds=0x64) [0066.682] wsprintfW (in: param_1=0x19f9dc, param_2="%c:" | out: param_1="W:") returned 2 [0066.682] GetDriveTypeW (lpRootPathName="W:") returned 0x1 [0066.682] Sleep (dwMilliseconds=0x64) [0066.806] wsprintfW (in: param_1=0x19f9dc, param_2="%c:" | out: param_1="X:") returned 2 [0066.807] GetDriveTypeW (lpRootPathName="X:") returned 0x1 [0066.807] Sleep (dwMilliseconds=0x64) [0066.916] wsprintfW (in: param_1=0x19f9dc, param_2="%c:" | out: param_1="Y:") returned 2 [0066.916] GetDriveTypeW (lpRootPathName="Y:") returned 0x1 [0066.917] Sleep (dwMilliseconds=0x64) [0067.032] wsprintfW (in: param_1=0x19f9dc, param_2="%c:" | out: param_1="Z:") returned 2 [0067.032] GetDriveTypeW (lpRootPathName="Z:") returned 0x1 [0067.032] Sleep (dwMilliseconds=0x64) [0067.139] Sleep (dwMilliseconds=0x493e0) [0077.426] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x19f7d4, csidl=0, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\Desktop") returned 1 [0077.428] SetErrorMode (uMode=0x1) returned 0x1 [0077.428] lstrcpyW (in: lpString1=0x19eb80, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop" [0077.428] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0077.428] lstrcpyW (in: lpString1=0x19e770, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0077.428] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="*.*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\*.*") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\*.*" [0077.428] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\*.*", lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 0x243878 [0077.428] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpSrch="Chrome") returned 0x0 [0077.428] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpSrch="Mozilla") returned 0x0 [0077.428] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpSrch="Recycle.bin") returned 0x0 [0077.428] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpSrch="Microsoft") returned 0x0 [0077.428] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpSrch="AhnLab") returned 0x0 [0077.428] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpSrch="Windows") returned 0x0 [0077.428] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpSrch="All Users") returned 0x0 [0077.428] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpSrch="ProgramData") returned 0x0 [0077.429] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpSrch="Program Files (x86)") returned 0x0 [0077.429] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpSrch="PROGRAM FILES (X86)") returned 0x0 [0077.429] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpSrch="Program Files") returned 0x0 [0077.429] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpSrch="PROGRAM FILES") returned 0x0 [0077.429] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0077.429] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0077.429] lstrcmpW (lpString1="-iMb6We3lfA1Z-Fb.m4a", lpString2="..") returned 1 [0077.429] lstrcmpW (lpString1="-iMb6We3lfA1Z-Fb.m4a", lpString2=".") returned 1 [0077.429] StrStrW (lpFirst="-iMb6We3lfA1Z-Fb.m4a", lpSrch="ClopReadMe.txt") returned 0x0 [0077.429] StrStrW (lpFirst="-iMb6We3lfA1Z-Fb.m4a", lpSrch="ntldr") returned 0x0 [0077.429] StrStrW (lpFirst="-iMb6We3lfA1Z-Fb.m4a", lpSrch="NTLDR") returned 0x0 [0077.429] StrStrW (lpFirst="-iMb6We3lfA1Z-Fb.m4a", lpSrch="boot.ini") returned 0x0 [0077.429] StrStrW (lpFirst="-iMb6We3lfA1Z-Fb.m4a", lpSrch="BOOT.INI") returned 0x0 [0077.429] StrStrW (lpFirst="-iMb6We3lfA1Z-Fb.m4a", lpSrch="ntuser.ini") returned 0x0 [0077.429] StrStrW (lpFirst="-iMb6We3lfA1Z-Fb.m4a", lpSrch="NTUSER.INI") returned 0x0 [0077.429] StrStrW (lpFirst="-iMb6We3lfA1Z-Fb.m4a", lpSrch="AUTOEXEC.BAT") returned 0x0 [0077.429] StrStrW (lpFirst="-iMb6We3lfA1Z-Fb.m4a", lpSrch="autoexec.bat") returned 0x0 [0077.429] StrStrW (lpFirst="-iMb6We3lfA1Z-Fb.m4a", lpSrch=".Clop") returned 0x0 [0077.429] StrStrW (lpFirst="-iMb6We3lfA1Z-Fb.m4a", lpSrch="NTDETECT.COM") returned 0x0 [0077.429] StrStrW (lpFirst="-iMb6We3lfA1Z-Fb.m4a", lpSrch="ntdetect.com") returned 0x0 [0077.429] StrStrW (lpFirst="-iMb6We3lfA1Z-Fb.m4a", lpSrch=".dll") returned 0x0 [0077.429] StrStrW (lpFirst="-iMb6We3lfA1Z-Fb.m4a", lpSrch=".DLL") returned 0x0 [0077.429] StrStrW (lpFirst="-iMb6We3lfA1Z-Fb.m4a", lpSrch=".exe") returned 0x0 [0077.429] StrStrW (lpFirst="-iMb6We3lfA1Z-Fb.m4a", lpSrch=".EXE") returned 0x0 [0077.429] StrStrW (lpFirst="-iMb6We3lfA1Z-Fb.m4a", lpSrch=".sys") returned 0x0 [0077.429] StrStrW (lpFirst="-iMb6We3lfA1Z-Fb.m4a", lpSrch=".SYS") returned 0x0 [0077.429] StrStrW (lpFirst="-iMb6We3lfA1Z-Fb.m4a", lpSrch=".OCX") returned 0x0 [0077.429] StrStrW (lpFirst="-iMb6We3lfA1Z-Fb.m4a", lpSrch=".ocx") returned 0x0 [0077.429] StrStrW (lpFirst="-iMb6We3lfA1Z-Fb.m4a", lpSrch=".LNK") returned 0x0 [0077.429] StrStrW (lpFirst="-iMb6We3lfA1Z-Fb.m4a", lpSrch=".lnk") returned 0x0 [0077.429] wsprintfW (in: param_1=0x19f3a0, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned 30 [0077.429] lstrcpyA (in: lpString1=0x19de08, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0077.429] lstrcpyW (in: lpString1=0x19e366, lpString2="-iMb6We3lfA1Z-Fb.m4a" | out: lpString1="-iMb6We3lfA1Z-Fb.m4a") returned="-iMb6We3lfA1Z-Fb.m4a" [0077.429] lstrcpyW (in: lpString1=0x19df66, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0077.429] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19de08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x248 [0077.430] WaitForSingleObject (hHandle=0x248, dwMilliseconds=0xffffffff) returned 0x0 [0077.838] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0077.838] lstrcmpW (lpString1="-uqdFL.swf", lpString2="..") returned 1 [0077.838] lstrcmpW (lpString1="-uqdFL.swf", lpString2=".") returned 1 [0077.838] StrStrW (lpFirst="-uqdFL.swf", lpSrch="ClopReadMe.txt") returned 0x0 [0077.838] StrStrW (lpFirst="-uqdFL.swf", lpSrch="ntldr") returned 0x0 [0077.838] StrStrW (lpFirst="-uqdFL.swf", lpSrch="NTLDR") returned 0x0 [0077.838] StrStrW (lpFirst="-uqdFL.swf", lpSrch="boot.ini") returned 0x0 [0077.838] StrStrW (lpFirst="-uqdFL.swf", lpSrch="BOOT.INI") returned 0x0 [0077.838] StrStrW (lpFirst="-uqdFL.swf", lpSrch="ntuser.ini") returned 0x0 [0077.838] StrStrW (lpFirst="-uqdFL.swf", lpSrch="NTUSER.INI") returned 0x0 [0077.838] StrStrW (lpFirst="-uqdFL.swf", lpSrch="AUTOEXEC.BAT") returned 0x0 [0077.838] StrStrW (lpFirst="-uqdFL.swf", lpSrch="autoexec.bat") returned 0x0 [0077.838] StrStrW (lpFirst="-uqdFL.swf", lpSrch=".Clop") returned 0x0 [0077.838] StrStrW (lpFirst="-uqdFL.swf", lpSrch="NTDETECT.COM") returned 0x0 [0077.839] StrStrW (lpFirst="-uqdFL.swf", lpSrch="ntdetect.com") returned 0x0 [0077.839] StrStrW (lpFirst="-uqdFL.swf", lpSrch=".dll") returned 0x0 [0077.839] StrStrW (lpFirst="-uqdFL.swf", lpSrch=".DLL") returned 0x0 [0077.839] StrStrW (lpFirst="-uqdFL.swf", lpSrch=".exe") returned 0x0 [0077.839] StrStrW (lpFirst="-uqdFL.swf", lpSrch=".EXE") returned 0x0 [0077.839] StrStrW (lpFirst="-uqdFL.swf", lpSrch=".sys") returned 0x0 [0077.839] StrStrW (lpFirst="-uqdFL.swf", lpSrch=".SYS") returned 0x0 [0077.839] StrStrW (lpFirst="-uqdFL.swf", lpSrch=".OCX") returned 0x0 [0077.839] StrStrW (lpFirst="-uqdFL.swf", lpSrch=".ocx") returned 0x0 [0077.839] StrStrW (lpFirst="-uqdFL.swf", lpSrch=".LNK") returned 0x0 [0077.839] StrStrW (lpFirst="-uqdFL.swf", lpSrch=".lnk") returned 0x0 [0077.839] wsprintfW (in: param_1=0x19f3a0, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned 30 [0077.839] lstrcpyA (in: lpString1=0x19de08, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0077.839] lstrcpyW (in: lpString1=0x19e366, lpString2="-uqdFL.swf" | out: lpString1="-uqdFL.swf") returned="-uqdFL.swf" [0077.839] lstrcpyW (in: lpString1=0x19df66, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0077.839] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19de08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x26c [0077.839] WaitForSingleObject (hHandle=0x26c, dwMilliseconds=0xffffffff) returned 0x0 [0077.896] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0077.896] lstrcmpW (lpString1="-W1ANSK7kJ9rC2R Vp-0.avi", lpString2="..") returned 1 [0077.896] lstrcmpW (lpString1="-W1ANSK7kJ9rC2R Vp-0.avi", lpString2=".") returned 1 [0077.896] StrStrW (lpFirst="-W1ANSK7kJ9rC2R Vp-0.avi", lpSrch="ClopReadMe.txt") returned 0x0 [0077.896] StrStrW (lpFirst="-W1ANSK7kJ9rC2R Vp-0.avi", lpSrch="ntldr") returned 0x0 [0077.896] StrStrW (lpFirst="-W1ANSK7kJ9rC2R Vp-0.avi", lpSrch="NTLDR") returned 0x0 [0077.896] StrStrW (lpFirst="-W1ANSK7kJ9rC2R Vp-0.avi", lpSrch="boot.ini") returned 0x0 [0077.896] StrStrW (lpFirst="-W1ANSK7kJ9rC2R Vp-0.avi", lpSrch="BOOT.INI") returned 0x0 [0077.896] StrStrW (lpFirst="-W1ANSK7kJ9rC2R Vp-0.avi", lpSrch="ntuser.ini") returned 0x0 [0077.896] StrStrW (lpFirst="-W1ANSK7kJ9rC2R Vp-0.avi", lpSrch="NTUSER.INI") returned 0x0 [0077.896] StrStrW (lpFirst="-W1ANSK7kJ9rC2R Vp-0.avi", lpSrch="AUTOEXEC.BAT") returned 0x0 [0077.896] StrStrW (lpFirst="-W1ANSK7kJ9rC2R Vp-0.avi", lpSrch="autoexec.bat") returned 0x0 [0077.896] StrStrW (lpFirst="-W1ANSK7kJ9rC2R Vp-0.avi", lpSrch=".Clop") returned 0x0 [0077.896] StrStrW (lpFirst="-W1ANSK7kJ9rC2R Vp-0.avi", lpSrch="NTDETECT.COM") returned 0x0 [0077.896] StrStrW (lpFirst="-W1ANSK7kJ9rC2R Vp-0.avi", lpSrch="ntdetect.com") returned 0x0 [0077.896] StrStrW (lpFirst="-W1ANSK7kJ9rC2R Vp-0.avi", lpSrch=".dll") returned 0x0 [0077.896] StrStrW (lpFirst="-W1ANSK7kJ9rC2R Vp-0.avi", lpSrch=".DLL") returned 0x0 [0077.896] StrStrW (lpFirst="-W1ANSK7kJ9rC2R Vp-0.avi", lpSrch=".exe") returned 0x0 [0077.896] StrStrW (lpFirst="-W1ANSK7kJ9rC2R Vp-0.avi", lpSrch=".EXE") returned 0x0 [0077.896] StrStrW (lpFirst="-W1ANSK7kJ9rC2R Vp-0.avi", lpSrch=".sys") returned 0x0 [0077.896] StrStrW (lpFirst="-W1ANSK7kJ9rC2R Vp-0.avi", lpSrch=".SYS") returned 0x0 [0077.896] StrStrW (lpFirst="-W1ANSK7kJ9rC2R Vp-0.avi", lpSrch=".OCX") returned 0x0 [0077.896] StrStrW (lpFirst="-W1ANSK7kJ9rC2R Vp-0.avi", lpSrch=".ocx") returned 0x0 [0077.896] StrStrW (lpFirst="-W1ANSK7kJ9rC2R Vp-0.avi", lpSrch=".LNK") returned 0x0 [0077.896] StrStrW (lpFirst="-W1ANSK7kJ9rC2R Vp-0.avi", lpSrch=".lnk") returned 0x0 [0077.896] wsprintfW (in: param_1=0x19f3a0, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned 30 [0077.896] lstrcpyA (in: lpString1=0x19de08, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0077.896] lstrcpyW (in: lpString1=0x19e366, lpString2="-W1ANSK7kJ9rC2R Vp-0.avi" | out: lpString1="-W1ANSK7kJ9rC2R Vp-0.avi") returned="-W1ANSK7kJ9rC2R Vp-0.avi" [0077.896] lstrcpyW (in: lpString1=0x19df66, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0077.896] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19de08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x298 [0077.897] WaitForSingleObject (hHandle=0x298, dwMilliseconds=0xffffffff) returned 0x0 [0077.954] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0077.954] lstrcmpW (lpString1="28exXMRcr1nP4Rj3.mp4", lpString2="..") returned 1 [0077.954] lstrcmpW (lpString1="28exXMRcr1nP4Rj3.mp4", lpString2=".") returned 1 [0077.954] StrStrW (lpFirst="28exXMRcr1nP4Rj3.mp4", lpSrch="ClopReadMe.txt") returned 0x0 [0077.954] StrStrW (lpFirst="28exXMRcr1nP4Rj3.mp4", lpSrch="ntldr") returned 0x0 [0077.954] StrStrW (lpFirst="28exXMRcr1nP4Rj3.mp4", lpSrch="NTLDR") returned 0x0 [0077.954] StrStrW (lpFirst="28exXMRcr1nP4Rj3.mp4", lpSrch="boot.ini") returned 0x0 [0077.955] StrStrW (lpFirst="28exXMRcr1nP4Rj3.mp4", lpSrch="BOOT.INI") returned 0x0 [0077.955] StrStrW (lpFirst="28exXMRcr1nP4Rj3.mp4", lpSrch="ntuser.ini") returned 0x0 [0077.955] StrStrW (lpFirst="28exXMRcr1nP4Rj3.mp4", lpSrch="NTUSER.INI") returned 0x0 [0077.955] StrStrW (lpFirst="28exXMRcr1nP4Rj3.mp4", lpSrch="AUTOEXEC.BAT") returned 0x0 [0077.955] StrStrW (lpFirst="28exXMRcr1nP4Rj3.mp4", lpSrch="autoexec.bat") returned 0x0 [0077.955] StrStrW (lpFirst="28exXMRcr1nP4Rj3.mp4", lpSrch=".Clop") returned 0x0 [0077.955] StrStrW (lpFirst="28exXMRcr1nP4Rj3.mp4", lpSrch="NTDETECT.COM") returned 0x0 [0077.955] StrStrW (lpFirst="28exXMRcr1nP4Rj3.mp4", lpSrch="ntdetect.com") returned 0x0 [0077.955] StrStrW (lpFirst="28exXMRcr1nP4Rj3.mp4", lpSrch=".dll") returned 0x0 [0077.955] StrStrW (lpFirst="28exXMRcr1nP4Rj3.mp4", lpSrch=".DLL") returned 0x0 [0077.955] StrStrW (lpFirst="28exXMRcr1nP4Rj3.mp4", lpSrch=".exe") returned 0x0 [0077.955] StrStrW (lpFirst="28exXMRcr1nP4Rj3.mp4", lpSrch=".EXE") returned 0x0 [0077.955] StrStrW (lpFirst="28exXMRcr1nP4Rj3.mp4", lpSrch=".sys") returned 0x0 [0077.955] StrStrW (lpFirst="28exXMRcr1nP4Rj3.mp4", lpSrch=".SYS") returned 0x0 [0077.955] StrStrW (lpFirst="28exXMRcr1nP4Rj3.mp4", lpSrch=".OCX") returned 0x0 [0077.955] StrStrW (lpFirst="28exXMRcr1nP4Rj3.mp4", lpSrch=".ocx") returned 0x0 [0077.955] StrStrW (lpFirst="28exXMRcr1nP4Rj3.mp4", lpSrch=".LNK") returned 0x0 [0077.955] StrStrW (lpFirst="28exXMRcr1nP4Rj3.mp4", lpSrch=".lnk") returned 0x0 [0077.955] wsprintfW (in: param_1=0x19f3a0, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned 30 [0077.955] lstrcpyA (in: lpString1=0x19de08, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0077.955] lstrcpyW (in: lpString1=0x19e366, lpString2="28exXMRcr1nP4Rj3.mp4" | out: lpString1="28exXMRcr1nP4Rj3.mp4") returned="28exXMRcr1nP4Rj3.mp4" [0077.955] lstrcpyW (in: lpString1=0x19df66, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0077.955] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19de08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x270 [0077.955] WaitForSingleObject (hHandle=0x270, dwMilliseconds=0xffffffff) returned 0x0 [0077.991] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0077.991] lstrcmpW (lpString1="2hw0VHoOhU P3sOPU0.docx", lpString2="..") returned 1 [0077.991] lstrcmpW (lpString1="2hw0VHoOhU P3sOPU0.docx", lpString2=".") returned 1 [0077.991] StrStrW (lpFirst="2hw0VHoOhU P3sOPU0.docx", lpSrch="ClopReadMe.txt") returned 0x0 [0077.991] StrStrW (lpFirst="2hw0VHoOhU P3sOPU0.docx", lpSrch="ntldr") returned 0x0 [0077.991] StrStrW (lpFirst="2hw0VHoOhU P3sOPU0.docx", lpSrch="NTLDR") returned 0x0 [0077.991] StrStrW (lpFirst="2hw0VHoOhU P3sOPU0.docx", lpSrch="boot.ini") returned 0x0 [0077.991] StrStrW (lpFirst="2hw0VHoOhU P3sOPU0.docx", lpSrch="BOOT.INI") returned 0x0 [0077.991] StrStrW (lpFirst="2hw0VHoOhU P3sOPU0.docx", lpSrch="ntuser.ini") returned 0x0 [0077.991] StrStrW (lpFirst="2hw0VHoOhU P3sOPU0.docx", lpSrch="NTUSER.INI") returned 0x0 [0077.991] StrStrW (lpFirst="2hw0VHoOhU P3sOPU0.docx", lpSrch="AUTOEXEC.BAT") returned 0x0 [0077.991] StrStrW (lpFirst="2hw0VHoOhU P3sOPU0.docx", lpSrch="autoexec.bat") returned 0x0 [0077.991] StrStrW (lpFirst="2hw0VHoOhU P3sOPU0.docx", lpSrch=".Clop") returned 0x0 [0077.991] StrStrW (lpFirst="2hw0VHoOhU P3sOPU0.docx", lpSrch="NTDETECT.COM") returned 0x0 [0077.991] StrStrW (lpFirst="2hw0VHoOhU P3sOPU0.docx", lpSrch="ntdetect.com") returned 0x0 [0077.991] StrStrW (lpFirst="2hw0VHoOhU P3sOPU0.docx", lpSrch=".dll") returned 0x0 [0077.991] StrStrW (lpFirst="2hw0VHoOhU P3sOPU0.docx", lpSrch=".DLL") returned 0x0 [0077.991] StrStrW (lpFirst="2hw0VHoOhU P3sOPU0.docx", lpSrch=".exe") returned 0x0 [0077.991] StrStrW (lpFirst="2hw0VHoOhU P3sOPU0.docx", lpSrch=".EXE") returned 0x0 [0077.991] StrStrW (lpFirst="2hw0VHoOhU P3sOPU0.docx", lpSrch=".sys") returned 0x0 [0077.991] StrStrW (lpFirst="2hw0VHoOhU P3sOPU0.docx", lpSrch=".SYS") returned 0x0 [0077.991] StrStrW (lpFirst="2hw0VHoOhU P3sOPU0.docx", lpSrch=".OCX") returned 0x0 [0077.992] StrStrW (lpFirst="2hw0VHoOhU P3sOPU0.docx", lpSrch=".ocx") returned 0x0 [0077.992] StrStrW (lpFirst="2hw0VHoOhU P3sOPU0.docx", lpSrch=".LNK") returned 0x0 [0077.992] StrStrW (lpFirst="2hw0VHoOhU P3sOPU0.docx", lpSrch=".lnk") returned 0x0 [0077.992] wsprintfW (in: param_1=0x19f3a0, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned 30 [0077.992] lstrcpyA (in: lpString1=0x19de08, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0077.992] lstrcpyW (in: lpString1=0x19e366, lpString2="2hw0VHoOhU P3sOPU0.docx" | out: lpString1="2hw0VHoOhU P3sOPU0.docx") returned="2hw0VHoOhU P3sOPU0.docx" [0077.992] lstrcpyW (in: lpString1=0x19df66, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0077.992] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19de08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x29c [0077.992] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0078.015] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0078.015] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0078.015] lstrcmpW (lpString1="9rQFVz_dAB30dr89aphB.jpg", lpString2="..") returned 1 [0078.015] lstrcmpW (lpString1="9rQFVz_dAB30dr89aphB.jpg", lpString2=".") returned 1 [0078.015] StrStrW (lpFirst="9rQFVz_dAB30dr89aphB.jpg", lpSrch="ClopReadMe.txt") returned 0x0 [0078.015] StrStrW (lpFirst="9rQFVz_dAB30dr89aphB.jpg", lpSrch="ntldr") returned 0x0 [0078.015] StrStrW (lpFirst="9rQFVz_dAB30dr89aphB.jpg", lpSrch="NTLDR") returned 0x0 [0078.015] StrStrW (lpFirst="9rQFVz_dAB30dr89aphB.jpg", lpSrch="boot.ini") returned 0x0 [0078.015] StrStrW (lpFirst="9rQFVz_dAB30dr89aphB.jpg", lpSrch="BOOT.INI") returned 0x0 [0078.015] StrStrW (lpFirst="9rQFVz_dAB30dr89aphB.jpg", lpSrch="ntuser.ini") returned 0x0 [0078.015] StrStrW (lpFirst="9rQFVz_dAB30dr89aphB.jpg", lpSrch="NTUSER.INI") returned 0x0 [0078.015] StrStrW (lpFirst="9rQFVz_dAB30dr89aphB.jpg", lpSrch="AUTOEXEC.BAT") returned 0x0 [0078.015] StrStrW (lpFirst="9rQFVz_dAB30dr89aphB.jpg", lpSrch="autoexec.bat") returned 0x0 [0078.016] StrStrW (lpFirst="9rQFVz_dAB30dr89aphB.jpg", lpSrch=".Clop") returned 0x0 [0078.016] StrStrW (lpFirst="9rQFVz_dAB30dr89aphB.jpg", lpSrch="NTDETECT.COM") returned 0x0 [0078.016] StrStrW (lpFirst="9rQFVz_dAB30dr89aphB.jpg", lpSrch="ntdetect.com") returned 0x0 [0078.016] StrStrW (lpFirst="9rQFVz_dAB30dr89aphB.jpg", lpSrch=".dll") returned 0x0 [0078.016] StrStrW (lpFirst="9rQFVz_dAB30dr89aphB.jpg", lpSrch=".DLL") returned 0x0 [0078.016] StrStrW (lpFirst="9rQFVz_dAB30dr89aphB.jpg", lpSrch=".exe") returned 0x0 [0078.016] StrStrW (lpFirst="9rQFVz_dAB30dr89aphB.jpg", lpSrch=".EXE") returned 0x0 [0078.016] StrStrW (lpFirst="9rQFVz_dAB30dr89aphB.jpg", lpSrch=".sys") returned 0x0 [0078.016] StrStrW (lpFirst="9rQFVz_dAB30dr89aphB.jpg", lpSrch=".SYS") returned 0x0 [0078.016] StrStrW (lpFirst="9rQFVz_dAB30dr89aphB.jpg", lpSrch=".OCX") returned 0x0 [0078.016] StrStrW (lpFirst="9rQFVz_dAB30dr89aphB.jpg", lpSrch=".ocx") returned 0x0 [0078.016] StrStrW (lpFirst="9rQFVz_dAB30dr89aphB.jpg", lpSrch=".LNK") returned 0x0 [0078.016] StrStrW (lpFirst="9rQFVz_dAB30dr89aphB.jpg", lpSrch=".lnk") returned 0x0 [0078.016] wsprintfW (in: param_1=0x19f3a0, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned 30 [0078.016] lstrcpyA (in: lpString1=0x19de08, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0078.016] lstrcpyW (in: lpString1=0x19e366, lpString2="9rQFVz_dAB30dr89aphB.jpg" | out: lpString1="9rQFVz_dAB30dr89aphB.jpg") returned="9rQFVz_dAB30dr89aphB.jpg" [0078.016] lstrcpyW (in: lpString1=0x19df66, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0078.016] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19de08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a0 [0078.016] WaitForSingleObject (hHandle=0x2a0, dwMilliseconds=0xffffffff) returned 0x0 [0078.061] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0078.061] lstrcmpW (lpString1="AawVwHL.m4a", lpString2="..") returned 1 [0078.061] lstrcmpW (lpString1="AawVwHL.m4a", lpString2=".") returned 1 [0078.061] StrStrW (lpFirst="AawVwHL.m4a", lpSrch="ClopReadMe.txt") returned 0x0 [0078.061] StrStrW (lpFirst="AawVwHL.m4a", lpSrch="ntldr") returned 0x0 [0078.061] StrStrW (lpFirst="AawVwHL.m4a", lpSrch="NTLDR") returned 0x0 [0078.061] StrStrW (lpFirst="AawVwHL.m4a", lpSrch="boot.ini") returned 0x0 [0078.061] StrStrW (lpFirst="AawVwHL.m4a", lpSrch="BOOT.INI") returned 0x0 [0078.061] StrStrW (lpFirst="AawVwHL.m4a", lpSrch="ntuser.ini") returned 0x0 [0078.061] StrStrW (lpFirst="AawVwHL.m4a", lpSrch="NTUSER.INI") returned 0x0 [0078.062] StrStrW (lpFirst="AawVwHL.m4a", lpSrch="AUTOEXEC.BAT") returned 0x0 [0078.062] StrStrW (lpFirst="AawVwHL.m4a", lpSrch="autoexec.bat") returned 0x0 [0078.062] StrStrW (lpFirst="AawVwHL.m4a", lpSrch=".Clop") returned 0x0 [0078.062] StrStrW (lpFirst="AawVwHL.m4a", lpSrch="NTDETECT.COM") returned 0x0 [0078.062] StrStrW (lpFirst="AawVwHL.m4a", lpSrch="ntdetect.com") returned 0x0 [0078.062] StrStrW (lpFirst="AawVwHL.m4a", lpSrch=".dll") returned 0x0 [0078.062] StrStrW (lpFirst="AawVwHL.m4a", lpSrch=".DLL") returned 0x0 [0078.062] StrStrW (lpFirst="AawVwHL.m4a", lpSrch=".exe") returned 0x0 [0078.062] StrStrW (lpFirst="AawVwHL.m4a", lpSrch=".EXE") returned 0x0 [0078.062] StrStrW (lpFirst="AawVwHL.m4a", lpSrch=".sys") returned 0x0 [0078.062] StrStrW (lpFirst="AawVwHL.m4a", lpSrch=".SYS") returned 0x0 [0078.062] StrStrW (lpFirst="AawVwHL.m4a", lpSrch=".OCX") returned 0x0 [0078.062] StrStrW (lpFirst="AawVwHL.m4a", lpSrch=".ocx") returned 0x0 [0078.062] StrStrW (lpFirst="AawVwHL.m4a", lpSrch=".LNK") returned 0x0 [0078.062] StrStrW (lpFirst="AawVwHL.m4a", lpSrch=".lnk") returned 0x0 [0078.062] wsprintfW (in: param_1=0x19f3a0, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned 30 [0078.062] lstrcpyA (in: lpString1=0x19de08, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0078.062] lstrcpyW (in: lpString1=0x19e366, lpString2="AawVwHL.m4a" | out: lpString1="AawVwHL.m4a") returned="AawVwHL.m4a" [0078.062] lstrcpyW (in: lpString1=0x19df66, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0078.062] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19de08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a4 [0078.062] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0xffffffff) returned 0x0 [0078.124] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0078.124] lstrcmpW (lpString1="AdgNJLl.avi", lpString2="..") returned 1 [0078.124] lstrcmpW (lpString1="AdgNJLl.avi", lpString2=".") returned 1 [0078.124] StrStrW (lpFirst="AdgNJLl.avi", lpSrch="ClopReadMe.txt") returned 0x0 [0078.124] StrStrW (lpFirst="AdgNJLl.avi", lpSrch="ntldr") returned 0x0 [0078.124] StrStrW (lpFirst="AdgNJLl.avi", lpSrch="NTLDR") returned 0x0 [0078.124] StrStrW (lpFirst="AdgNJLl.avi", lpSrch="boot.ini") returned 0x0 [0078.124] StrStrW (lpFirst="AdgNJLl.avi", lpSrch="BOOT.INI") returned 0x0 [0078.124] StrStrW (lpFirst="AdgNJLl.avi", lpSrch="ntuser.ini") returned 0x0 [0078.124] StrStrW (lpFirst="AdgNJLl.avi", lpSrch="NTUSER.INI") returned 0x0 [0078.124] StrStrW (lpFirst="AdgNJLl.avi", lpSrch="AUTOEXEC.BAT") returned 0x0 [0078.124] StrStrW (lpFirst="AdgNJLl.avi", lpSrch="autoexec.bat") returned 0x0 [0078.124] StrStrW (lpFirst="AdgNJLl.avi", lpSrch=".Clop") returned 0x0 [0078.124] StrStrW (lpFirst="AdgNJLl.avi", lpSrch="NTDETECT.COM") returned 0x0 [0078.124] StrStrW (lpFirst="AdgNJLl.avi", lpSrch="ntdetect.com") returned 0x0 [0078.124] StrStrW (lpFirst="AdgNJLl.avi", lpSrch=".dll") returned 0x0 [0078.124] StrStrW (lpFirst="AdgNJLl.avi", lpSrch=".DLL") returned 0x0 [0078.124] StrStrW (lpFirst="AdgNJLl.avi", lpSrch=".exe") returned 0x0 [0078.124] StrStrW (lpFirst="AdgNJLl.avi", lpSrch=".EXE") returned 0x0 [0078.124] StrStrW (lpFirst="AdgNJLl.avi", lpSrch=".sys") returned 0x0 [0078.124] StrStrW (lpFirst="AdgNJLl.avi", lpSrch=".SYS") returned 0x0 [0078.124] StrStrW (lpFirst="AdgNJLl.avi", lpSrch=".OCX") returned 0x0 [0078.124] StrStrW (lpFirst="AdgNJLl.avi", lpSrch=".ocx") returned 0x0 [0078.125] StrStrW (lpFirst="AdgNJLl.avi", lpSrch=".LNK") returned 0x0 [0078.125] StrStrW (lpFirst="AdgNJLl.avi", lpSrch=".lnk") returned 0x0 [0078.125] wsprintfW (in: param_1=0x19f3a0, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned 30 [0078.125] lstrcpyA (in: lpString1=0x19de08, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0078.125] lstrcpyW (in: lpString1=0x19e366, lpString2="AdgNJLl.avi" | out: lpString1="AdgNJLl.avi") returned="AdgNJLl.avi" [0078.125] lstrcpyW (in: lpString1=0x19df66, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0078.125] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19de08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a8 [0078.125] WaitForSingleObject (hHandle=0x2a8, dwMilliseconds=0xffffffff) returned 0x0 [0078.148] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0078.148] lstrcmpW (lpString1="BLH3rhTCDoUHvqqP.mp3", lpString2="..") returned 1 [0078.148] lstrcmpW (lpString1="BLH3rhTCDoUHvqqP.mp3", lpString2=".") returned 1 [0078.148] StrStrW (lpFirst="BLH3rhTCDoUHvqqP.mp3", lpSrch="ClopReadMe.txt") returned 0x0 [0078.149] StrStrW (lpFirst="BLH3rhTCDoUHvqqP.mp3", lpSrch="ntldr") returned 0x0 [0078.149] StrStrW (lpFirst="BLH3rhTCDoUHvqqP.mp3", lpSrch="NTLDR") returned 0x0 [0078.149] StrStrW (lpFirst="BLH3rhTCDoUHvqqP.mp3", lpSrch="boot.ini") returned 0x0 [0078.149] StrStrW (lpFirst="BLH3rhTCDoUHvqqP.mp3", lpSrch="BOOT.INI") returned 0x0 [0078.149] StrStrW (lpFirst="BLH3rhTCDoUHvqqP.mp3", lpSrch="ntuser.ini") returned 0x0 [0078.149] StrStrW (lpFirst="BLH3rhTCDoUHvqqP.mp3", lpSrch="NTUSER.INI") returned 0x0 [0078.149] StrStrW (lpFirst="BLH3rhTCDoUHvqqP.mp3", lpSrch="AUTOEXEC.BAT") returned 0x0 [0078.149] StrStrW (lpFirst="BLH3rhTCDoUHvqqP.mp3", lpSrch="autoexec.bat") returned 0x0 [0078.149] StrStrW (lpFirst="BLH3rhTCDoUHvqqP.mp3", lpSrch=".Clop") returned 0x0 [0078.149] StrStrW (lpFirst="BLH3rhTCDoUHvqqP.mp3", lpSrch="NTDETECT.COM") returned 0x0 [0078.149] StrStrW (lpFirst="BLH3rhTCDoUHvqqP.mp3", lpSrch="ntdetect.com") returned 0x0 [0078.149] StrStrW (lpFirst="BLH3rhTCDoUHvqqP.mp3", lpSrch=".dll") returned 0x0 [0078.149] StrStrW (lpFirst="BLH3rhTCDoUHvqqP.mp3", lpSrch=".DLL") returned 0x0 [0078.149] StrStrW (lpFirst="BLH3rhTCDoUHvqqP.mp3", lpSrch=".exe") returned 0x0 [0078.149] StrStrW (lpFirst="BLH3rhTCDoUHvqqP.mp3", lpSrch=".EXE") returned 0x0 [0078.149] StrStrW (lpFirst="BLH3rhTCDoUHvqqP.mp3", lpSrch=".sys") returned 0x0 [0078.149] StrStrW (lpFirst="BLH3rhTCDoUHvqqP.mp3", lpSrch=".SYS") returned 0x0 [0078.149] StrStrW (lpFirst="BLH3rhTCDoUHvqqP.mp3", lpSrch=".OCX") returned 0x0 [0078.149] StrStrW (lpFirst="BLH3rhTCDoUHvqqP.mp3", lpSrch=".ocx") returned 0x0 [0078.149] StrStrW (lpFirst="BLH3rhTCDoUHvqqP.mp3", lpSrch=".LNK") returned 0x0 [0078.149] StrStrW (lpFirst="BLH3rhTCDoUHvqqP.mp3", lpSrch=".lnk") returned 0x0 [0078.149] wsprintfW (in: param_1=0x19f3a0, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned 30 [0078.149] lstrcpyA (in: lpString1=0x19de08, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0078.149] lstrcpyW (in: lpString1=0x19e366, lpString2="BLH3rhTCDoUHvqqP.mp3" | out: lpString1="BLH3rhTCDoUHvqqP.mp3") returned="BLH3rhTCDoUHvqqP.mp3" [0078.149] lstrcpyW (in: lpString1=0x19df66, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0078.149] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19de08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2ac [0078.149] WaitForSingleObject (hHandle=0x2ac, dwMilliseconds=0xffffffff) returned 0x0 [0078.197] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0078.197] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0078.197] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0078.197] StrStrW (lpFirst="desktop.ini", lpSrch="ClopReadMe.txt") returned 0x0 [0078.197] StrStrW (lpFirst="desktop.ini", lpSrch="ntldr") returned 0x0 [0078.197] StrStrW (lpFirst="desktop.ini", lpSrch="NTLDR") returned 0x0 [0078.197] StrStrW (lpFirst="desktop.ini", lpSrch="boot.ini") returned 0x0 [0078.197] StrStrW (lpFirst="desktop.ini", lpSrch="BOOT.INI") returned 0x0 [0078.197] StrStrW (lpFirst="desktop.ini", lpSrch="ntuser.ini") returned 0x0 [0078.197] StrStrW (lpFirst="desktop.ini", lpSrch="NTUSER.INI") returned 0x0 [0078.197] StrStrW (lpFirst="desktop.ini", lpSrch="AUTOEXEC.BAT") returned 0x0 [0078.197] StrStrW (lpFirst="desktop.ini", lpSrch="autoexec.bat") returned 0x0 [0078.197] StrStrW (lpFirst="desktop.ini", lpSrch=".Clop") returned 0x0 [0078.197] StrStrW (lpFirst="desktop.ini", lpSrch="NTDETECT.COM") returned 0x0 [0078.197] StrStrW (lpFirst="desktop.ini", lpSrch="ntdetect.com") returned 0x0 [0078.197] StrStrW (lpFirst="desktop.ini", lpSrch=".dll") returned 0x0 [0078.197] StrStrW (lpFirst="desktop.ini", lpSrch=".DLL") returned 0x0 [0078.197] StrStrW (lpFirst="desktop.ini", lpSrch=".exe") returned 0x0 [0078.197] StrStrW (lpFirst="desktop.ini", lpSrch=".EXE") returned 0x0 [0078.197] StrStrW (lpFirst="desktop.ini", lpSrch=".sys") returned 0x0 [0078.197] StrStrW (lpFirst="desktop.ini", lpSrch=".SYS") returned 0x0 [0078.197] StrStrW (lpFirst="desktop.ini", lpSrch=".OCX") returned 0x0 [0078.197] StrStrW (lpFirst="desktop.ini", lpSrch=".ocx") returned 0x0 [0078.198] StrStrW (lpFirst="desktop.ini", lpSrch=".LNK") returned 0x0 [0078.198] StrStrW (lpFirst="desktop.ini", lpSrch=".lnk") returned 0x0 [0078.198] wsprintfW (in: param_1=0x19f3a0, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned 30 [0078.198] lstrcpyA (in: lpString1=0x19de08, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0078.198] lstrcpyW (in: lpString1=0x19e366, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0078.198] lstrcpyW (in: lpString1=0x19df66, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0078.198] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19de08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2b0 [0078.686] WaitForSingleObject (hHandle=0x2b0, dwMilliseconds=0xffffffff) returned 0x0 [0078.754] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0078.754] lstrcmpW (lpString1="JK-lp.gif", lpString2="..") returned 1 [0078.754] lstrcmpW (lpString1="JK-lp.gif", lpString2=".") returned 1 [0078.754] StrStrW (lpFirst="JK-lp.gif", lpSrch="ClopReadMe.txt") returned 0x0 [0078.754] StrStrW (lpFirst="JK-lp.gif", lpSrch="ntldr") returned 0x0 [0078.754] StrStrW (lpFirst="JK-lp.gif", lpSrch="NTLDR") returned 0x0 [0078.754] StrStrW (lpFirst="JK-lp.gif", lpSrch="boot.ini") returned 0x0 [0078.754] StrStrW (lpFirst="JK-lp.gif", lpSrch="BOOT.INI") returned 0x0 [0078.754] StrStrW (lpFirst="JK-lp.gif", lpSrch="ntuser.ini") returned 0x0 [0078.754] StrStrW (lpFirst="JK-lp.gif", lpSrch="NTUSER.INI") returned 0x0 [0078.754] StrStrW (lpFirst="JK-lp.gif", lpSrch="AUTOEXEC.BAT") returned 0x0 [0078.754] StrStrW (lpFirst="JK-lp.gif", lpSrch="autoexec.bat") returned 0x0 [0078.754] StrStrW (lpFirst="JK-lp.gif", lpSrch=".Clop") returned 0x0 [0078.754] StrStrW (lpFirst="JK-lp.gif", lpSrch="NTDETECT.COM") returned 0x0 [0078.754] StrStrW (lpFirst="JK-lp.gif", lpSrch="ntdetect.com") returned 0x0 [0078.754] StrStrW (lpFirst="JK-lp.gif", lpSrch=".dll") returned 0x0 [0078.754] StrStrW (lpFirst="JK-lp.gif", lpSrch=".DLL") returned 0x0 [0078.754] StrStrW (lpFirst="JK-lp.gif", lpSrch=".exe") returned 0x0 [0078.754] StrStrW (lpFirst="JK-lp.gif", lpSrch=".EXE") returned 0x0 [0078.754] StrStrW (lpFirst="JK-lp.gif", lpSrch=".sys") returned 0x0 [0078.754] StrStrW (lpFirst="JK-lp.gif", lpSrch=".SYS") returned 0x0 [0078.754] StrStrW (lpFirst="JK-lp.gif", lpSrch=".OCX") returned 0x0 [0078.754] StrStrW (lpFirst="JK-lp.gif", lpSrch=".ocx") returned 0x0 [0078.754] StrStrW (lpFirst="JK-lp.gif", lpSrch=".LNK") returned 0x0 [0078.754] StrStrW (lpFirst="JK-lp.gif", lpSrch=".lnk") returned 0x0 [0078.754] wsprintfW (in: param_1=0x19f3a0, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned 30 [0078.754] lstrcpyA (in: lpString1=0x19de08, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0078.754] lstrcpyW (in: lpString1=0x19e366, lpString2="JK-lp.gif" | out: lpString1="JK-lp.gif") returned="JK-lp.gif" [0078.754] lstrcpyW (in: lpString1=0x19df66, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0078.755] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19de08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2b4 [0078.755] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0xffffffff) returned 0x0 [0078.878] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0078.878] lstrcmpW (lpString1="Jl0vZzRw qEogGC.mp3", lpString2="..") returned 1 [0078.878] lstrcmpW (lpString1="Jl0vZzRw qEogGC.mp3", lpString2=".") returned 1 [0078.878] StrStrW (lpFirst="Jl0vZzRw qEogGC.mp3", lpSrch="ClopReadMe.txt") returned 0x0 [0078.878] StrStrW (lpFirst="Jl0vZzRw qEogGC.mp3", lpSrch="ntldr") returned 0x0 [0078.878] StrStrW (lpFirst="Jl0vZzRw qEogGC.mp3", lpSrch="NTLDR") returned 0x0 [0078.878] StrStrW (lpFirst="Jl0vZzRw qEogGC.mp3", lpSrch="boot.ini") returned 0x0 [0078.878] StrStrW (lpFirst="Jl0vZzRw qEogGC.mp3", lpSrch="BOOT.INI") returned 0x0 [0078.878] StrStrW (lpFirst="Jl0vZzRw qEogGC.mp3", lpSrch="ntuser.ini") returned 0x0 [0078.878] StrStrW (lpFirst="Jl0vZzRw qEogGC.mp3", lpSrch="NTUSER.INI") returned 0x0 [0078.878] StrStrW (lpFirst="Jl0vZzRw qEogGC.mp3", lpSrch="AUTOEXEC.BAT") returned 0x0 [0078.878] StrStrW (lpFirst="Jl0vZzRw qEogGC.mp3", lpSrch="autoexec.bat") returned 0x0 [0078.878] StrStrW (lpFirst="Jl0vZzRw qEogGC.mp3", lpSrch=".Clop") returned 0x0 [0078.878] StrStrW (lpFirst="Jl0vZzRw qEogGC.mp3", lpSrch="NTDETECT.COM") returned 0x0 [0078.878] StrStrW (lpFirst="Jl0vZzRw qEogGC.mp3", lpSrch="ntdetect.com") returned 0x0 [0078.878] StrStrW (lpFirst="Jl0vZzRw qEogGC.mp3", lpSrch=".dll") returned 0x0 [0078.878] StrStrW (lpFirst="Jl0vZzRw qEogGC.mp3", lpSrch=".DLL") returned 0x0 [0078.878] StrStrW (lpFirst="Jl0vZzRw qEogGC.mp3", lpSrch=".exe") returned 0x0 [0078.878] StrStrW (lpFirst="Jl0vZzRw qEogGC.mp3", lpSrch=".EXE") returned 0x0 [0078.878] StrStrW (lpFirst="Jl0vZzRw qEogGC.mp3", lpSrch=".sys") returned 0x0 [0078.878] StrStrW (lpFirst="Jl0vZzRw qEogGC.mp3", lpSrch=".SYS") returned 0x0 [0078.878] StrStrW (lpFirst="Jl0vZzRw qEogGC.mp3", lpSrch=".OCX") returned 0x0 [0078.878] StrStrW (lpFirst="Jl0vZzRw qEogGC.mp3", lpSrch=".ocx") returned 0x0 [0078.878] StrStrW (lpFirst="Jl0vZzRw qEogGC.mp3", lpSrch=".LNK") returned 0x0 [0078.878] StrStrW (lpFirst="Jl0vZzRw qEogGC.mp3", lpSrch=".lnk") returned 0x0 [0078.878] wsprintfW (in: param_1=0x19f3a0, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned 30 [0078.878] lstrcpyA (in: lpString1=0x19de08, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0078.879] lstrcpyW (in: lpString1=0x19e366, lpString2="Jl0vZzRw qEogGC.mp3" | out: lpString1="Jl0vZzRw qEogGC.mp3") returned="Jl0vZzRw qEogGC.mp3" [0078.879] lstrcpyW (in: lpString1=0x19df66, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0078.879] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19de08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2b8 [0078.879] WaitForSingleObject (hHandle=0x2b8, dwMilliseconds=0xffffffff) returned 0x0 [0078.910] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0078.910] lstrcmpW (lpString1="Jqmw2bG-TElFXFN.swf", lpString2="..") returned 1 [0078.910] lstrcmpW (lpString1="Jqmw2bG-TElFXFN.swf", lpString2=".") returned 1 [0078.911] StrStrW (lpFirst="Jqmw2bG-TElFXFN.swf", lpSrch="ClopReadMe.txt") returned 0x0 [0078.911] StrStrW (lpFirst="Jqmw2bG-TElFXFN.swf", lpSrch="ntldr") returned 0x0 [0078.911] StrStrW (lpFirst="Jqmw2bG-TElFXFN.swf", lpSrch="NTLDR") returned 0x0 [0078.911] StrStrW (lpFirst="Jqmw2bG-TElFXFN.swf", lpSrch="boot.ini") returned 0x0 [0078.911] StrStrW (lpFirst="Jqmw2bG-TElFXFN.swf", lpSrch="BOOT.INI") returned 0x0 [0078.911] StrStrW (lpFirst="Jqmw2bG-TElFXFN.swf", lpSrch="ntuser.ini") returned 0x0 [0078.911] StrStrW (lpFirst="Jqmw2bG-TElFXFN.swf", lpSrch="NTUSER.INI") returned 0x0 [0078.911] StrStrW (lpFirst="Jqmw2bG-TElFXFN.swf", lpSrch="AUTOEXEC.BAT") returned 0x0 [0078.911] StrStrW (lpFirst="Jqmw2bG-TElFXFN.swf", lpSrch="autoexec.bat") returned 0x0 [0078.911] StrStrW (lpFirst="Jqmw2bG-TElFXFN.swf", lpSrch=".Clop") returned 0x0 [0078.911] StrStrW (lpFirst="Jqmw2bG-TElFXFN.swf", lpSrch="NTDETECT.COM") returned 0x0 [0078.911] StrStrW (lpFirst="Jqmw2bG-TElFXFN.swf", lpSrch="ntdetect.com") returned 0x0 [0078.911] StrStrW (lpFirst="Jqmw2bG-TElFXFN.swf", lpSrch=".dll") returned 0x0 [0078.911] StrStrW (lpFirst="Jqmw2bG-TElFXFN.swf", lpSrch=".DLL") returned 0x0 [0078.911] StrStrW (lpFirst="Jqmw2bG-TElFXFN.swf", lpSrch=".exe") returned 0x0 [0078.911] StrStrW (lpFirst="Jqmw2bG-TElFXFN.swf", lpSrch=".EXE") returned 0x0 [0078.911] StrStrW (lpFirst="Jqmw2bG-TElFXFN.swf", lpSrch=".sys") returned 0x0 [0078.911] StrStrW (lpFirst="Jqmw2bG-TElFXFN.swf", lpSrch=".SYS") returned 0x0 [0078.911] StrStrW (lpFirst="Jqmw2bG-TElFXFN.swf", lpSrch=".OCX") returned 0x0 [0078.911] StrStrW (lpFirst="Jqmw2bG-TElFXFN.swf", lpSrch=".ocx") returned 0x0 [0078.911] StrStrW (lpFirst="Jqmw2bG-TElFXFN.swf", lpSrch=".LNK") returned 0x0 [0078.911] StrStrW (lpFirst="Jqmw2bG-TElFXFN.swf", lpSrch=".lnk") returned 0x0 [0078.911] wsprintfW (in: param_1=0x19f3a0, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned 30 [0078.911] lstrcpyA (in: lpString1=0x19de08, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0078.911] lstrcpyW (in: lpString1=0x19e366, lpString2="Jqmw2bG-TElFXFN.swf" | out: lpString1="Jqmw2bG-TElFXFN.swf") returned="Jqmw2bG-TElFXFN.swf" [0078.911] lstrcpyW (in: lpString1=0x19df66, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0078.911] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19de08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2bc [0078.911] WaitForSingleObject (hHandle=0x2bc, dwMilliseconds=0xffffffff) returned 0x0 [0078.974] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0078.974] lstrcmpW (lpString1="jzlaMjeyc.m4a", lpString2="..") returned 1 [0078.974] lstrcmpW (lpString1="jzlaMjeyc.m4a", lpString2=".") returned 1 [0078.974] StrStrW (lpFirst="jzlaMjeyc.m4a", lpSrch="ClopReadMe.txt") returned 0x0 [0078.974] StrStrW (lpFirst="jzlaMjeyc.m4a", lpSrch="ntldr") returned 0x0 [0078.974] StrStrW (lpFirst="jzlaMjeyc.m4a", lpSrch="NTLDR") returned 0x0 [0078.974] StrStrW (lpFirst="jzlaMjeyc.m4a", lpSrch="boot.ini") returned 0x0 [0078.974] StrStrW (lpFirst="jzlaMjeyc.m4a", lpSrch="BOOT.INI") returned 0x0 [0078.974] StrStrW (lpFirst="jzlaMjeyc.m4a", lpSrch="ntuser.ini") returned 0x0 [0078.974] StrStrW (lpFirst="jzlaMjeyc.m4a", lpSrch="NTUSER.INI") returned 0x0 [0078.974] StrStrW (lpFirst="jzlaMjeyc.m4a", lpSrch="AUTOEXEC.BAT") returned 0x0 [0078.974] StrStrW (lpFirst="jzlaMjeyc.m4a", lpSrch="autoexec.bat") returned 0x0 [0078.974] StrStrW (lpFirst="jzlaMjeyc.m4a", lpSrch=".Clop") returned 0x0 [0078.974] StrStrW (lpFirst="jzlaMjeyc.m4a", lpSrch="NTDETECT.COM") returned 0x0 [0078.974] StrStrW (lpFirst="jzlaMjeyc.m4a", lpSrch="ntdetect.com") returned 0x0 [0078.974] StrStrW (lpFirst="jzlaMjeyc.m4a", lpSrch=".dll") returned 0x0 [0078.974] StrStrW (lpFirst="jzlaMjeyc.m4a", lpSrch=".DLL") returned 0x0 [0078.974] StrStrW (lpFirst="jzlaMjeyc.m4a", lpSrch=".exe") returned 0x0 [0078.974] StrStrW (lpFirst="jzlaMjeyc.m4a", lpSrch=".EXE") returned 0x0 [0078.974] StrStrW (lpFirst="jzlaMjeyc.m4a", lpSrch=".sys") returned 0x0 [0078.974] StrStrW (lpFirst="jzlaMjeyc.m4a", lpSrch=".SYS") returned 0x0 [0078.974] StrStrW (lpFirst="jzlaMjeyc.m4a", lpSrch=".OCX") returned 0x0 [0078.974] StrStrW (lpFirst="jzlaMjeyc.m4a", lpSrch=".ocx") returned 0x0 [0078.974] StrStrW (lpFirst="jzlaMjeyc.m4a", lpSrch=".LNK") returned 0x0 [0078.974] StrStrW (lpFirst="jzlaMjeyc.m4a", lpSrch=".lnk") returned 0x0 [0078.974] wsprintfW (in: param_1=0x19f3a0, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned 30 [0078.974] lstrcpyA (in: lpString1=0x19de08, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0078.974] lstrcpyW (in: lpString1=0x19e366, lpString2="jzlaMjeyc.m4a" | out: lpString1="jzlaMjeyc.m4a") returned="jzlaMjeyc.m4a" [0078.974] lstrcpyW (in: lpString1=0x19df66, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0078.974] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19de08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2c0 [0078.975] WaitForSingleObject (hHandle=0x2c0, dwMilliseconds=0xffffffff) returned 0x0 [0079.134] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0079.134] lstrcmpW (lpString1="kgA8vkn8D.png", lpString2="..") returned 1 [0079.134] lstrcmpW (lpString1="kgA8vkn8D.png", lpString2=".") returned 1 [0079.134] StrStrW (lpFirst="kgA8vkn8D.png", lpSrch="ClopReadMe.txt") returned 0x0 [0079.134] StrStrW (lpFirst="kgA8vkn8D.png", lpSrch="ntldr") returned 0x0 [0079.134] StrStrW (lpFirst="kgA8vkn8D.png", lpSrch="NTLDR") returned 0x0 [0079.134] StrStrW (lpFirst="kgA8vkn8D.png", lpSrch="boot.ini") returned 0x0 [0079.134] StrStrW (lpFirst="kgA8vkn8D.png", lpSrch="BOOT.INI") returned 0x0 [0079.134] StrStrW (lpFirst="kgA8vkn8D.png", lpSrch="ntuser.ini") returned 0x0 [0079.134] StrStrW (lpFirst="kgA8vkn8D.png", lpSrch="NTUSER.INI") returned 0x0 [0079.134] StrStrW (lpFirst="kgA8vkn8D.png", lpSrch="AUTOEXEC.BAT") returned 0x0 [0079.134] StrStrW (lpFirst="kgA8vkn8D.png", lpSrch="autoexec.bat") returned 0x0 [0079.134] StrStrW (lpFirst="kgA8vkn8D.png", lpSrch=".Clop") returned 0x0 [0079.134] StrStrW (lpFirst="kgA8vkn8D.png", lpSrch="NTDETECT.COM") returned 0x0 [0079.134] StrStrW (lpFirst="kgA8vkn8D.png", lpSrch="ntdetect.com") returned 0x0 [0079.134] StrStrW (lpFirst="kgA8vkn8D.png", lpSrch=".dll") returned 0x0 [0079.134] StrStrW (lpFirst="kgA8vkn8D.png", lpSrch=".DLL") returned 0x0 [0079.134] StrStrW (lpFirst="kgA8vkn8D.png", lpSrch=".exe") returned 0x0 [0079.134] StrStrW (lpFirst="kgA8vkn8D.png", lpSrch=".EXE") returned 0x0 [0079.134] StrStrW (lpFirst="kgA8vkn8D.png", lpSrch=".sys") returned 0x0 [0079.134] StrStrW (lpFirst="kgA8vkn8D.png", lpSrch=".SYS") returned 0x0 [0079.134] StrStrW (lpFirst="kgA8vkn8D.png", lpSrch=".OCX") returned 0x0 [0079.134] StrStrW (lpFirst="kgA8vkn8D.png", lpSrch=".ocx") returned 0x0 [0079.134] StrStrW (lpFirst="kgA8vkn8D.png", lpSrch=".LNK") returned 0x0 [0079.134] StrStrW (lpFirst="kgA8vkn8D.png", lpSrch=".lnk") returned 0x0 [0079.135] wsprintfW (in: param_1=0x19f3a0, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned 30 [0079.135] lstrcpyA (in: lpString1=0x19de08, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0079.135] lstrcpyW (in: lpString1=0x19e366, lpString2="kgA8vkn8D.png" | out: lpString1="kgA8vkn8D.png") returned="kgA8vkn8D.png" [0079.135] lstrcpyW (in: lpString1=0x19df66, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0079.135] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19de08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2c4 [0079.135] WaitForSingleObject (hHandle=0x2c4, dwMilliseconds=0xffffffff) returned 0x0 [0079.177] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0079.178] lstrcmpW (lpString1="KZdjrOBP38df.wav", lpString2="..") returned 1 [0079.178] lstrcmpW (lpString1="KZdjrOBP38df.wav", lpString2=".") returned 1 [0079.178] StrStrW (lpFirst="KZdjrOBP38df.wav", lpSrch="ClopReadMe.txt") returned 0x0 [0079.178] StrStrW (lpFirst="KZdjrOBP38df.wav", lpSrch="ntldr") returned 0x0 [0079.178] StrStrW (lpFirst="KZdjrOBP38df.wav", lpSrch="NTLDR") returned 0x0 [0079.178] StrStrW (lpFirst="KZdjrOBP38df.wav", lpSrch="boot.ini") returned 0x0 [0079.178] StrStrW (lpFirst="KZdjrOBP38df.wav", lpSrch="BOOT.INI") returned 0x0 [0079.178] StrStrW (lpFirst="KZdjrOBP38df.wav", lpSrch="ntuser.ini") returned 0x0 [0079.178] StrStrW (lpFirst="KZdjrOBP38df.wav", lpSrch="NTUSER.INI") returned 0x0 [0079.178] StrStrW (lpFirst="KZdjrOBP38df.wav", lpSrch="AUTOEXEC.BAT") returned 0x0 [0079.178] StrStrW (lpFirst="KZdjrOBP38df.wav", lpSrch="autoexec.bat") returned 0x0 [0079.178] StrStrW (lpFirst="KZdjrOBP38df.wav", lpSrch=".Clop") returned 0x0 [0079.178] StrStrW (lpFirst="KZdjrOBP38df.wav", lpSrch="NTDETECT.COM") returned 0x0 [0079.178] StrStrW (lpFirst="KZdjrOBP38df.wav", lpSrch="ntdetect.com") returned 0x0 [0079.178] StrStrW (lpFirst="KZdjrOBP38df.wav", lpSrch=".dll") returned 0x0 [0079.178] StrStrW (lpFirst="KZdjrOBP38df.wav", lpSrch=".DLL") returned 0x0 [0079.178] StrStrW (lpFirst="KZdjrOBP38df.wav", lpSrch=".exe") returned 0x0 [0079.178] StrStrW (lpFirst="KZdjrOBP38df.wav", lpSrch=".EXE") returned 0x0 [0079.178] StrStrW (lpFirst="KZdjrOBP38df.wav", lpSrch=".sys") returned 0x0 [0079.178] StrStrW (lpFirst="KZdjrOBP38df.wav", lpSrch=".SYS") returned 0x0 [0079.178] StrStrW (lpFirst="KZdjrOBP38df.wav", lpSrch=".OCX") returned 0x0 [0079.178] StrStrW (lpFirst="KZdjrOBP38df.wav", lpSrch=".ocx") returned 0x0 [0079.178] StrStrW (lpFirst="KZdjrOBP38df.wav", lpSrch=".LNK") returned 0x0 [0079.178] StrStrW (lpFirst="KZdjrOBP38df.wav", lpSrch=".lnk") returned 0x0 [0079.178] wsprintfW (in: param_1=0x19f3a0, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned 30 [0079.178] lstrcpyA (in: lpString1=0x19de08, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0079.178] lstrcpyW (in: lpString1=0x19e366, lpString2="KZdjrOBP38df.wav" | out: lpString1="KZdjrOBP38df.wav") returned="KZdjrOBP38df.wav" [0079.178] lstrcpyW (in: lpString1=0x19df66, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0079.178] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19de08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2c8 [0079.179] WaitForSingleObject (hHandle=0x2c8, dwMilliseconds=0xffffffff) returned 0x0 [0079.733] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0079.733] lstrcmpW (lpString1="LIpP.mp3", lpString2="..") returned 1 [0079.733] lstrcmpW (lpString1="LIpP.mp3", lpString2=".") returned 1 [0079.733] StrStrW (lpFirst="LIpP.mp3", lpSrch="ClopReadMe.txt") returned 0x0 [0079.733] StrStrW (lpFirst="LIpP.mp3", lpSrch="ntldr") returned 0x0 [0079.733] StrStrW (lpFirst="LIpP.mp3", lpSrch="NTLDR") returned 0x0 [0079.733] StrStrW (lpFirst="LIpP.mp3", lpSrch="boot.ini") returned 0x0 [0079.733] StrStrW (lpFirst="LIpP.mp3", lpSrch="BOOT.INI") returned 0x0 [0079.733] StrStrW (lpFirst="LIpP.mp3", lpSrch="ntuser.ini") returned 0x0 [0079.733] StrStrW (lpFirst="LIpP.mp3", lpSrch="NTUSER.INI") returned 0x0 [0079.733] StrStrW (lpFirst="LIpP.mp3", lpSrch="AUTOEXEC.BAT") returned 0x0 [0079.733] StrStrW (lpFirst="LIpP.mp3", lpSrch="autoexec.bat") returned 0x0 [0079.733] StrStrW (lpFirst="LIpP.mp3", lpSrch=".Clop") returned 0x0 [0079.733] StrStrW (lpFirst="LIpP.mp3", lpSrch="NTDETECT.COM") returned 0x0 [0079.733] StrStrW (lpFirst="LIpP.mp3", lpSrch="ntdetect.com") returned 0x0 [0079.733] StrStrW (lpFirst="LIpP.mp3", lpSrch=".dll") returned 0x0 [0079.733] StrStrW (lpFirst="LIpP.mp3", lpSrch=".DLL") returned 0x0 [0079.733] StrStrW (lpFirst="LIpP.mp3", lpSrch=".exe") returned 0x0 [0079.733] StrStrW (lpFirst="LIpP.mp3", lpSrch=".EXE") returned 0x0 [0079.733] StrStrW (lpFirst="LIpP.mp3", lpSrch=".sys") returned 0x0 [0079.733] StrStrW (lpFirst="LIpP.mp3", lpSrch=".SYS") returned 0x0 [0079.733] StrStrW (lpFirst="LIpP.mp3", lpSrch=".OCX") returned 0x0 [0079.733] StrStrW (lpFirst="LIpP.mp3", lpSrch=".ocx") returned 0x0 [0079.733] StrStrW (lpFirst="LIpP.mp3", lpSrch=".LNK") returned 0x0 [0079.733] StrStrW (lpFirst="LIpP.mp3", lpSrch=".lnk") returned 0x0 [0079.733] wsprintfW (in: param_1=0x19f3a0, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned 30 [0079.733] lstrcpyA (in: lpString1=0x19de08, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0079.733] lstrcpyW (in: lpString1=0x19e366, lpString2="LIpP.mp3" | out: lpString1="LIpP.mp3") returned="LIpP.mp3" [0079.733] lstrcpyW (in: lpString1=0x19df66, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0079.733] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19de08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2cc [0079.734] WaitForSingleObject (hHandle=0x2cc, dwMilliseconds=0xffffffff) returned 0x0 [0079.870] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0079.870] lstrcmpW (lpString1="m9Pz1Hmu.jpg", lpString2="..") returned 1 [0079.870] lstrcmpW (lpString1="m9Pz1Hmu.jpg", lpString2=".") returned 1 [0079.870] StrStrW (lpFirst="m9Pz1Hmu.jpg", lpSrch="ClopReadMe.txt") returned 0x0 [0079.870] StrStrW (lpFirst="m9Pz1Hmu.jpg", lpSrch="ntldr") returned 0x0 [0079.870] StrStrW (lpFirst="m9Pz1Hmu.jpg", lpSrch="NTLDR") returned 0x0 [0079.870] StrStrW (lpFirst="m9Pz1Hmu.jpg", lpSrch="boot.ini") returned 0x0 [0079.870] StrStrW (lpFirst="m9Pz1Hmu.jpg", lpSrch="BOOT.INI") returned 0x0 [0079.870] StrStrW (lpFirst="m9Pz1Hmu.jpg", lpSrch="ntuser.ini") returned 0x0 [0079.870] StrStrW (lpFirst="m9Pz1Hmu.jpg", lpSrch="NTUSER.INI") returned 0x0 [0079.870] StrStrW (lpFirst="m9Pz1Hmu.jpg", lpSrch="AUTOEXEC.BAT") returned 0x0 [0079.870] StrStrW (lpFirst="m9Pz1Hmu.jpg", lpSrch="autoexec.bat") returned 0x0 [0079.870] StrStrW (lpFirst="m9Pz1Hmu.jpg", lpSrch=".Clop") returned 0x0 [0079.870] StrStrW (lpFirst="m9Pz1Hmu.jpg", lpSrch="NTDETECT.COM") returned 0x0 [0079.870] StrStrW (lpFirst="m9Pz1Hmu.jpg", lpSrch="ntdetect.com") returned 0x0 [0079.870] StrStrW (lpFirst="m9Pz1Hmu.jpg", lpSrch=".dll") returned 0x0 [0079.870] StrStrW (lpFirst="m9Pz1Hmu.jpg", lpSrch=".DLL") returned 0x0 [0079.870] StrStrW (lpFirst="m9Pz1Hmu.jpg", lpSrch=".exe") returned 0x0 [0079.870] StrStrW (lpFirst="m9Pz1Hmu.jpg", lpSrch=".EXE") returned 0x0 [0079.870] StrStrW (lpFirst="m9Pz1Hmu.jpg", lpSrch=".sys") returned 0x0 [0079.870] StrStrW (lpFirst="m9Pz1Hmu.jpg", lpSrch=".SYS") returned 0x0 [0079.870] StrStrW (lpFirst="m9Pz1Hmu.jpg", lpSrch=".OCX") returned 0x0 [0079.871] StrStrW (lpFirst="m9Pz1Hmu.jpg", lpSrch=".ocx") returned 0x0 [0079.871] StrStrW (lpFirst="m9Pz1Hmu.jpg", lpSrch=".LNK") returned 0x0 [0079.871] StrStrW (lpFirst="m9Pz1Hmu.jpg", lpSrch=".lnk") returned 0x0 [0079.871] wsprintfW (in: param_1=0x19f3a0, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned 30 [0079.871] lstrcpyA (in: lpString1=0x19de08, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0079.871] lstrcpyW (in: lpString1=0x19e366, lpString2="m9Pz1Hmu.jpg" | out: lpString1="m9Pz1Hmu.jpg") returned="m9Pz1Hmu.jpg" [0079.871] lstrcpyW (in: lpString1=0x19df66, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0079.871] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19de08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2d0 [0079.871] WaitForSingleObject (hHandle=0x2d0, dwMilliseconds=0xffffffff) returned 0x0 [0080.020] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0080.020] lstrcmpW (lpString1="NyBrpQ_xx-AQ74dNO8U.mp4", lpString2="..") returned 1 [0080.020] lstrcmpW (lpString1="NyBrpQ_xx-AQ74dNO8U.mp4", lpString2=".") returned 1 [0080.020] StrStrW (lpFirst="NyBrpQ_xx-AQ74dNO8U.mp4", lpSrch="ClopReadMe.txt") returned 0x0 [0080.020] StrStrW (lpFirst="NyBrpQ_xx-AQ74dNO8U.mp4", lpSrch="ntldr") returned 0x0 [0080.020] StrStrW (lpFirst="NyBrpQ_xx-AQ74dNO8U.mp4", lpSrch="NTLDR") returned 0x0 [0080.020] StrStrW (lpFirst="NyBrpQ_xx-AQ74dNO8U.mp4", lpSrch="boot.ini") returned 0x0 [0080.020] StrStrW (lpFirst="NyBrpQ_xx-AQ74dNO8U.mp4", lpSrch="BOOT.INI") returned 0x0 [0080.020] StrStrW (lpFirst="NyBrpQ_xx-AQ74dNO8U.mp4", lpSrch="ntuser.ini") returned 0x0 [0080.020] StrStrW (lpFirst="NyBrpQ_xx-AQ74dNO8U.mp4", lpSrch="NTUSER.INI") returned 0x0 [0080.021] StrStrW (lpFirst="NyBrpQ_xx-AQ74dNO8U.mp4", lpSrch="AUTOEXEC.BAT") returned 0x0 [0080.021] StrStrW (lpFirst="NyBrpQ_xx-AQ74dNO8U.mp4", lpSrch="autoexec.bat") returned 0x0 [0080.021] StrStrW (lpFirst="NyBrpQ_xx-AQ74dNO8U.mp4", lpSrch=".Clop") returned 0x0 [0080.021] StrStrW (lpFirst="NyBrpQ_xx-AQ74dNO8U.mp4", lpSrch="NTDETECT.COM") returned 0x0 [0080.021] StrStrW (lpFirst="NyBrpQ_xx-AQ74dNO8U.mp4", lpSrch="ntdetect.com") returned 0x0 [0080.021] StrStrW (lpFirst="NyBrpQ_xx-AQ74dNO8U.mp4", lpSrch=".dll") returned 0x0 [0080.021] StrStrW (lpFirst="NyBrpQ_xx-AQ74dNO8U.mp4", lpSrch=".DLL") returned 0x0 [0080.021] StrStrW (lpFirst="NyBrpQ_xx-AQ74dNO8U.mp4", lpSrch=".exe") returned 0x0 [0080.021] StrStrW (lpFirst="NyBrpQ_xx-AQ74dNO8U.mp4", lpSrch=".EXE") returned 0x0 [0080.021] StrStrW (lpFirst="NyBrpQ_xx-AQ74dNO8U.mp4", lpSrch=".sys") returned 0x0 [0080.021] StrStrW (lpFirst="NyBrpQ_xx-AQ74dNO8U.mp4", lpSrch=".SYS") returned 0x0 [0080.021] StrStrW (lpFirst="NyBrpQ_xx-AQ74dNO8U.mp4", lpSrch=".OCX") returned 0x0 [0080.021] StrStrW (lpFirst="NyBrpQ_xx-AQ74dNO8U.mp4", lpSrch=".ocx") returned 0x0 [0080.021] StrStrW (lpFirst="NyBrpQ_xx-AQ74dNO8U.mp4", lpSrch=".LNK") returned 0x0 [0080.021] StrStrW (lpFirst="NyBrpQ_xx-AQ74dNO8U.mp4", lpSrch=".lnk") returned 0x0 [0080.021] wsprintfW (in: param_1=0x19f3a0, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned 30 [0080.021] lstrcpyA (in: lpString1=0x19de08, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0080.021] lstrcpyW (in: lpString1=0x19e366, lpString2="NyBrpQ_xx-AQ74dNO8U.mp4" | out: lpString1="NyBrpQ_xx-AQ74dNO8U.mp4") returned="NyBrpQ_xx-AQ74dNO8U.mp4" [0080.021] lstrcpyW (in: lpString1=0x19df66, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0080.021] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19de08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2d4 [0080.021] WaitForSingleObject (hHandle=0x2d4, dwMilliseconds=0xffffffff) returned 0x0 [0080.085] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0080.085] lstrcmpW (lpString1="Q4seUw4PucaI98v.bmp", lpString2="..") returned 1 [0080.085] lstrcmpW (lpString1="Q4seUw4PucaI98v.bmp", lpString2=".") returned 1 [0080.085] StrStrW (lpFirst="Q4seUw4PucaI98v.bmp", lpSrch="ClopReadMe.txt") returned 0x0 [0080.085] StrStrW (lpFirst="Q4seUw4PucaI98v.bmp", lpSrch="ntldr") returned 0x0 [0080.085] StrStrW (lpFirst="Q4seUw4PucaI98v.bmp", lpSrch="NTLDR") returned 0x0 [0080.085] StrStrW (lpFirst="Q4seUw4PucaI98v.bmp", lpSrch="boot.ini") returned 0x0 [0080.085] StrStrW (lpFirst="Q4seUw4PucaI98v.bmp", lpSrch="BOOT.INI") returned 0x0 [0080.085] StrStrW (lpFirst="Q4seUw4PucaI98v.bmp", lpSrch="ntuser.ini") returned 0x0 [0080.085] StrStrW (lpFirst="Q4seUw4PucaI98v.bmp", lpSrch="NTUSER.INI") returned 0x0 [0080.085] StrStrW (lpFirst="Q4seUw4PucaI98v.bmp", lpSrch="AUTOEXEC.BAT") returned 0x0 [0080.085] StrStrW (lpFirst="Q4seUw4PucaI98v.bmp", lpSrch="autoexec.bat") returned 0x0 [0080.085] StrStrW (lpFirst="Q4seUw4PucaI98v.bmp", lpSrch=".Clop") returned 0x0 [0080.086] StrStrW (lpFirst="Q4seUw4PucaI98v.bmp", lpSrch="NTDETECT.COM") returned 0x0 [0080.086] StrStrW (lpFirst="Q4seUw4PucaI98v.bmp", lpSrch="ntdetect.com") returned 0x0 [0080.086] StrStrW (lpFirst="Q4seUw4PucaI98v.bmp", lpSrch=".dll") returned 0x0 [0080.086] StrStrW (lpFirst="Q4seUw4PucaI98v.bmp", lpSrch=".DLL") returned 0x0 [0080.086] StrStrW (lpFirst="Q4seUw4PucaI98v.bmp", lpSrch=".exe") returned 0x0 [0080.086] StrStrW (lpFirst="Q4seUw4PucaI98v.bmp", lpSrch=".EXE") returned 0x0 [0080.086] StrStrW (lpFirst="Q4seUw4PucaI98v.bmp", lpSrch=".sys") returned 0x0 [0080.086] StrStrW (lpFirst="Q4seUw4PucaI98v.bmp", lpSrch=".SYS") returned 0x0 [0080.086] StrStrW (lpFirst="Q4seUw4PucaI98v.bmp", lpSrch=".OCX") returned 0x0 [0080.086] StrStrW (lpFirst="Q4seUw4PucaI98v.bmp", lpSrch=".ocx") returned 0x0 [0080.086] StrStrW (lpFirst="Q4seUw4PucaI98v.bmp", lpSrch=".LNK") returned 0x0 [0080.086] StrStrW (lpFirst="Q4seUw4PucaI98v.bmp", lpSrch=".lnk") returned 0x0 [0080.086] wsprintfW (in: param_1=0x19f3a0, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned 30 [0080.086] lstrcpyA (in: lpString1=0x19de08, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0080.086] lstrcpyW (in: lpString1=0x19e366, lpString2="Q4seUw4PucaI98v.bmp" | out: lpString1="Q4seUw4PucaI98v.bmp") returned="Q4seUw4PucaI98v.bmp" [0080.086] lstrcpyW (in: lpString1=0x19df66, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0080.086] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19de08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2d8 [0080.086] WaitForSingleObject (hHandle=0x2d8, dwMilliseconds=0xffffffff) returned 0x0 [0080.327] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0080.327] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0080.327] lstrcmpW (lpString1="sQOzkBJ4zBYE1.ots", lpString2="..") returned 1 [0080.327] lstrcmpW (lpString1="sQOzkBJ4zBYE1.ots", lpString2=".") returned 1 [0080.327] StrStrW (lpFirst="sQOzkBJ4zBYE1.ots", lpSrch="ClopReadMe.txt") returned 0x0 [0080.327] StrStrW (lpFirst="sQOzkBJ4zBYE1.ots", lpSrch="ntldr") returned 0x0 [0080.327] StrStrW (lpFirst="sQOzkBJ4zBYE1.ots", lpSrch="NTLDR") returned 0x0 [0080.327] StrStrW (lpFirst="sQOzkBJ4zBYE1.ots", lpSrch="boot.ini") returned 0x0 [0080.327] StrStrW (lpFirst="sQOzkBJ4zBYE1.ots", lpSrch="BOOT.INI") returned 0x0 [0080.327] StrStrW (lpFirst="sQOzkBJ4zBYE1.ots", lpSrch="ntuser.ini") returned 0x0 [0080.327] StrStrW (lpFirst="sQOzkBJ4zBYE1.ots", lpSrch="NTUSER.INI") returned 0x0 [0080.327] StrStrW (lpFirst="sQOzkBJ4zBYE1.ots", lpSrch="AUTOEXEC.BAT") returned 0x0 [0080.327] StrStrW (lpFirst="sQOzkBJ4zBYE1.ots", lpSrch="autoexec.bat") returned 0x0 [0080.327] StrStrW (lpFirst="sQOzkBJ4zBYE1.ots", lpSrch=".Clop") returned 0x0 [0080.327] StrStrW (lpFirst="sQOzkBJ4zBYE1.ots", lpSrch="NTDETECT.COM") returned 0x0 [0080.327] StrStrW (lpFirst="sQOzkBJ4zBYE1.ots", lpSrch="ntdetect.com") returned 0x0 [0080.327] StrStrW (lpFirst="sQOzkBJ4zBYE1.ots", lpSrch=".dll") returned 0x0 [0080.328] StrStrW (lpFirst="sQOzkBJ4zBYE1.ots", lpSrch=".DLL") returned 0x0 [0080.328] StrStrW (lpFirst="sQOzkBJ4zBYE1.ots", lpSrch=".exe") returned 0x0 [0080.328] StrStrW (lpFirst="sQOzkBJ4zBYE1.ots", lpSrch=".EXE") returned 0x0 [0080.328] StrStrW (lpFirst="sQOzkBJ4zBYE1.ots", lpSrch=".sys") returned 0x0 [0080.328] StrStrW (lpFirst="sQOzkBJ4zBYE1.ots", lpSrch=".SYS") returned 0x0 [0080.328] StrStrW (lpFirst="sQOzkBJ4zBYE1.ots", lpSrch=".OCX") returned 0x0 [0080.328] StrStrW (lpFirst="sQOzkBJ4zBYE1.ots", lpSrch=".ocx") returned 0x0 [0080.328] StrStrW (lpFirst="sQOzkBJ4zBYE1.ots", lpSrch=".LNK") returned 0x0 [0080.328] StrStrW (lpFirst="sQOzkBJ4zBYE1.ots", lpSrch=".lnk") returned 0x0 [0080.328] wsprintfW (in: param_1=0x19f3a0, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned 30 [0080.328] lstrcpyA (in: lpString1=0x19de08, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0080.328] lstrcpyW (in: lpString1=0x19e366, lpString2="sQOzkBJ4zBYE1.ots" | out: lpString1="sQOzkBJ4zBYE1.ots") returned="sQOzkBJ4zBYE1.ots" [0080.328] lstrcpyW (in: lpString1=0x19df66, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0080.328] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19de08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2dc [0080.328] WaitForSingleObject (hHandle=0x2dc, dwMilliseconds=0xffffffff) returned 0x0 [0080.444] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0080.444] lstrcmpW (lpString1="tcpsov.exe", lpString2="..") returned 1 [0080.444] lstrcmpW (lpString1="tcpsov.exe", lpString2=".") returned 1 [0080.444] StrStrW (lpFirst="tcpsov.exe", lpSrch="ClopReadMe.txt") returned 0x0 [0080.444] StrStrW (lpFirst="tcpsov.exe", lpSrch="ntldr") returned 0x0 [0080.444] StrStrW (lpFirst="tcpsov.exe", lpSrch="NTLDR") returned 0x0 [0080.444] StrStrW (lpFirst="tcpsov.exe", lpSrch="boot.ini") returned 0x0 [0080.444] StrStrW (lpFirst="tcpsov.exe", lpSrch="BOOT.INI") returned 0x0 [0080.444] StrStrW (lpFirst="tcpsov.exe", lpSrch="ntuser.ini") returned 0x0 [0080.444] StrStrW (lpFirst="tcpsov.exe", lpSrch="NTUSER.INI") returned 0x0 [0080.444] StrStrW (lpFirst="tcpsov.exe", lpSrch="AUTOEXEC.BAT") returned 0x0 [0080.444] StrStrW (lpFirst="tcpsov.exe", lpSrch="autoexec.bat") returned 0x0 [0080.444] StrStrW (lpFirst="tcpsov.exe", lpSrch=".Clop") returned 0x0 [0080.444] StrStrW (lpFirst="tcpsov.exe", lpSrch="NTDETECT.COM") returned 0x0 [0080.444] StrStrW (lpFirst="tcpsov.exe", lpSrch="ntdetect.com") returned 0x0 [0080.444] StrStrW (lpFirst="tcpsov.exe", lpSrch=".dll") returned 0x0 [0080.444] StrStrW (lpFirst="tcpsov.exe", lpSrch=".DLL") returned 0x0 [0080.444] StrStrW (lpFirst="tcpsov.exe", lpSrch=".exe") returned=".exe" [0080.444] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0080.444] lstrcmpW (lpString1="ubOb0lDCzgG80Xvp.gif", lpString2="..") returned 1 [0080.444] lstrcmpW (lpString1="ubOb0lDCzgG80Xvp.gif", lpString2=".") returned 1 [0080.444] StrStrW (lpFirst="ubOb0lDCzgG80Xvp.gif", lpSrch="ClopReadMe.txt") returned 0x0 [0080.444] StrStrW (lpFirst="ubOb0lDCzgG80Xvp.gif", lpSrch="ntldr") returned 0x0 [0080.444] StrStrW (lpFirst="ubOb0lDCzgG80Xvp.gif", lpSrch="NTLDR") returned 0x0 [0080.444] StrStrW (lpFirst="ubOb0lDCzgG80Xvp.gif", lpSrch="boot.ini") returned 0x0 [0080.444] StrStrW (lpFirst="ubOb0lDCzgG80Xvp.gif", lpSrch="BOOT.INI") returned 0x0 [0080.444] StrStrW (lpFirst="ubOb0lDCzgG80Xvp.gif", lpSrch="ntuser.ini") returned 0x0 [0080.444] StrStrW (lpFirst="ubOb0lDCzgG80Xvp.gif", lpSrch="NTUSER.INI") returned 0x0 [0080.444] StrStrW (lpFirst="ubOb0lDCzgG80Xvp.gif", lpSrch="AUTOEXEC.BAT") returned 0x0 [0080.444] StrStrW (lpFirst="ubOb0lDCzgG80Xvp.gif", lpSrch="autoexec.bat") returned 0x0 [0080.444] StrStrW (lpFirst="ubOb0lDCzgG80Xvp.gif", lpSrch=".Clop") returned 0x0 [0080.444] StrStrW (lpFirst="ubOb0lDCzgG80Xvp.gif", lpSrch="NTDETECT.COM") returned 0x0 [0080.444] StrStrW (lpFirst="ubOb0lDCzgG80Xvp.gif", lpSrch="ntdetect.com") returned 0x0 [0080.444] StrStrW (lpFirst="ubOb0lDCzgG80Xvp.gif", lpSrch=".dll") returned 0x0 [0080.445] StrStrW (lpFirst="ubOb0lDCzgG80Xvp.gif", lpSrch=".DLL") returned 0x0 [0080.445] StrStrW (lpFirst="ubOb0lDCzgG80Xvp.gif", lpSrch=".exe") returned 0x0 [0080.445] StrStrW (lpFirst="ubOb0lDCzgG80Xvp.gif", lpSrch=".EXE") returned 0x0 [0080.445] StrStrW (lpFirst="ubOb0lDCzgG80Xvp.gif", lpSrch=".sys") returned 0x0 [0080.445] StrStrW (lpFirst="ubOb0lDCzgG80Xvp.gif", lpSrch=".SYS") returned 0x0 [0080.445] StrStrW (lpFirst="ubOb0lDCzgG80Xvp.gif", lpSrch=".OCX") returned 0x0 [0080.445] StrStrW (lpFirst="ubOb0lDCzgG80Xvp.gif", lpSrch=".ocx") returned 0x0 [0080.445] StrStrW (lpFirst="ubOb0lDCzgG80Xvp.gif", lpSrch=".LNK") returned 0x0 [0080.445] StrStrW (lpFirst="ubOb0lDCzgG80Xvp.gif", lpSrch=".lnk") returned 0x0 [0080.445] wsprintfW (in: param_1=0x19f3a0, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned 30 [0080.445] lstrcpyA (in: lpString1=0x19de08, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0080.445] lstrcpyW (in: lpString1=0x19e366, lpString2="ubOb0lDCzgG80Xvp.gif" | out: lpString1="ubOb0lDCzgG80Xvp.gif") returned="ubOb0lDCzgG80Xvp.gif" [0080.445] lstrcpyW (in: lpString1=0x19df66, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0080.445] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19de08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2e0 [0080.445] WaitForSingleObject (hHandle=0x2e0, dwMilliseconds=0xffffffff) returned 0x0 [0080.519] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0080.519] lstrcmpW (lpString1="UErVBDjTS99ZAVVf.mp4", lpString2="..") returned 1 [0080.519] lstrcmpW (lpString1="UErVBDjTS99ZAVVf.mp4", lpString2=".") returned 1 [0080.519] StrStrW (lpFirst="UErVBDjTS99ZAVVf.mp4", lpSrch="ClopReadMe.txt") returned 0x0 [0080.519] StrStrW (lpFirst="UErVBDjTS99ZAVVf.mp4", lpSrch="ntldr") returned 0x0 [0080.519] StrStrW (lpFirst="UErVBDjTS99ZAVVf.mp4", lpSrch="NTLDR") returned 0x0 [0080.519] StrStrW (lpFirst="UErVBDjTS99ZAVVf.mp4", lpSrch="boot.ini") returned 0x0 [0080.519] StrStrW (lpFirst="UErVBDjTS99ZAVVf.mp4", lpSrch="BOOT.INI") returned 0x0 [0080.519] StrStrW (lpFirst="UErVBDjTS99ZAVVf.mp4", lpSrch="ntuser.ini") returned 0x0 [0080.519] StrStrW (lpFirst="UErVBDjTS99ZAVVf.mp4", lpSrch="NTUSER.INI") returned 0x0 [0080.519] StrStrW (lpFirst="UErVBDjTS99ZAVVf.mp4", lpSrch="AUTOEXEC.BAT") returned 0x0 [0080.519] StrStrW (lpFirst="UErVBDjTS99ZAVVf.mp4", lpSrch="autoexec.bat") returned 0x0 [0080.519] StrStrW (lpFirst="UErVBDjTS99ZAVVf.mp4", lpSrch=".Clop") returned 0x0 [0080.519] StrStrW (lpFirst="UErVBDjTS99ZAVVf.mp4", lpSrch="NTDETECT.COM") returned 0x0 [0080.519] StrStrW (lpFirst="UErVBDjTS99ZAVVf.mp4", lpSrch="ntdetect.com") returned 0x0 [0080.519] StrStrW (lpFirst="UErVBDjTS99ZAVVf.mp4", lpSrch=".dll") returned 0x0 [0080.519] StrStrW (lpFirst="UErVBDjTS99ZAVVf.mp4", lpSrch=".DLL") returned 0x0 [0080.519] StrStrW (lpFirst="UErVBDjTS99ZAVVf.mp4", lpSrch=".exe") returned 0x0 [0080.519] StrStrW (lpFirst="UErVBDjTS99ZAVVf.mp4", lpSrch=".EXE") returned 0x0 [0080.519] StrStrW (lpFirst="UErVBDjTS99ZAVVf.mp4", lpSrch=".sys") returned 0x0 [0080.519] StrStrW (lpFirst="UErVBDjTS99ZAVVf.mp4", lpSrch=".SYS") returned 0x0 [0080.519] StrStrW (lpFirst="UErVBDjTS99ZAVVf.mp4", lpSrch=".OCX") returned 0x0 [0080.519] StrStrW (lpFirst="UErVBDjTS99ZAVVf.mp4", lpSrch=".ocx") returned 0x0 [0080.519] StrStrW (lpFirst="UErVBDjTS99ZAVVf.mp4", lpSrch=".LNK") returned 0x0 [0080.519] StrStrW (lpFirst="UErVBDjTS99ZAVVf.mp4", lpSrch=".lnk") returned 0x0 [0080.519] wsprintfW (in: param_1=0x19f3a0, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned 30 [0080.519] lstrcpyA (in: lpString1=0x19de08, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0080.519] lstrcpyW (in: lpString1=0x19e366, lpString2="UErVBDjTS99ZAVVf.mp4" | out: lpString1="UErVBDjTS99ZAVVf.mp4") returned="UErVBDjTS99ZAVVf.mp4" [0080.519] lstrcpyW (in: lpString1=0x19df66, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0080.519] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19de08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2e4 [0080.520] WaitForSingleObject (hHandle=0x2e4, dwMilliseconds=0xffffffff) returned 0x0 [0080.631] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0080.631] lstrcmpW (lpString1="v-4HDop8QcfjvXfepmKD.mp3", lpString2="..") returned 1 [0080.631] lstrcmpW (lpString1="v-4HDop8QcfjvXfepmKD.mp3", lpString2=".") returned 1 [0080.631] StrStrW (lpFirst="v-4HDop8QcfjvXfepmKD.mp3", lpSrch="ClopReadMe.txt") returned 0x0 [0080.631] StrStrW (lpFirst="v-4HDop8QcfjvXfepmKD.mp3", lpSrch="ntldr") returned 0x0 [0080.631] StrStrW (lpFirst="v-4HDop8QcfjvXfepmKD.mp3", lpSrch="NTLDR") returned 0x0 [0080.631] StrStrW (lpFirst="v-4HDop8QcfjvXfepmKD.mp3", lpSrch="boot.ini") returned 0x0 [0080.631] StrStrW (lpFirst="v-4HDop8QcfjvXfepmKD.mp3", lpSrch="BOOT.INI") returned 0x0 [0080.632] StrStrW (lpFirst="v-4HDop8QcfjvXfepmKD.mp3", lpSrch="ntuser.ini") returned 0x0 [0080.632] StrStrW (lpFirst="v-4HDop8QcfjvXfepmKD.mp3", lpSrch="NTUSER.INI") returned 0x0 [0080.632] StrStrW (lpFirst="v-4HDop8QcfjvXfepmKD.mp3", lpSrch="AUTOEXEC.BAT") returned 0x0 [0080.632] StrStrW (lpFirst="v-4HDop8QcfjvXfepmKD.mp3", lpSrch="autoexec.bat") returned 0x0 [0080.632] StrStrW (lpFirst="v-4HDop8QcfjvXfepmKD.mp3", lpSrch=".Clop") returned 0x0 [0080.632] StrStrW (lpFirst="v-4HDop8QcfjvXfepmKD.mp3", lpSrch="NTDETECT.COM") returned 0x0 [0080.632] StrStrW (lpFirst="v-4HDop8QcfjvXfepmKD.mp3", lpSrch="ntdetect.com") returned 0x0 [0080.632] StrStrW (lpFirst="v-4HDop8QcfjvXfepmKD.mp3", lpSrch=".dll") returned 0x0 [0080.632] StrStrW (lpFirst="v-4HDop8QcfjvXfepmKD.mp3", lpSrch=".DLL") returned 0x0 [0080.632] StrStrW (lpFirst="v-4HDop8QcfjvXfepmKD.mp3", lpSrch=".exe") returned 0x0 [0080.632] StrStrW (lpFirst="v-4HDop8QcfjvXfepmKD.mp3", lpSrch=".EXE") returned 0x0 [0080.632] StrStrW (lpFirst="v-4HDop8QcfjvXfepmKD.mp3", lpSrch=".sys") returned 0x0 [0080.632] StrStrW (lpFirst="v-4HDop8QcfjvXfepmKD.mp3", lpSrch=".SYS") returned 0x0 [0080.632] StrStrW (lpFirst="v-4HDop8QcfjvXfepmKD.mp3", lpSrch=".OCX") returned 0x0 [0080.632] StrStrW (lpFirst="v-4HDop8QcfjvXfepmKD.mp3", lpSrch=".ocx") returned 0x0 [0080.632] StrStrW (lpFirst="v-4HDop8QcfjvXfepmKD.mp3", lpSrch=".LNK") returned 0x0 [0080.632] StrStrW (lpFirst="v-4HDop8QcfjvXfepmKD.mp3", lpSrch=".lnk") returned 0x0 [0080.632] wsprintfW (in: param_1=0x19f3a0, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned 30 [0080.632] lstrcpyA (in: lpString1=0x19de08, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0080.632] lstrcpyW (in: lpString1=0x19e366, lpString2="v-4HDop8QcfjvXfepmKD.mp3" | out: lpString1="v-4HDop8QcfjvXfepmKD.mp3") returned="v-4HDop8QcfjvXfepmKD.mp3" [0080.632] lstrcpyW (in: lpString1=0x19df66, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0080.632] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19de08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2e8 [0080.632] WaitForSingleObject (hHandle=0x2e8, dwMilliseconds=0xffffffff) returned 0x0 [0080.775] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0080.775] lstrcmpW (lpString1="vJHGxh-.png", lpString2="..") returned 1 [0080.775] lstrcmpW (lpString1="vJHGxh-.png", lpString2=".") returned 1 [0080.775] StrStrW (lpFirst="vJHGxh-.png", lpSrch="ClopReadMe.txt") returned 0x0 [0080.775] StrStrW (lpFirst="vJHGxh-.png", lpSrch="ntldr") returned 0x0 [0080.775] StrStrW (lpFirst="vJHGxh-.png", lpSrch="NTLDR") returned 0x0 [0080.775] StrStrW (lpFirst="vJHGxh-.png", lpSrch="boot.ini") returned 0x0 [0080.775] StrStrW (lpFirst="vJHGxh-.png", lpSrch="BOOT.INI") returned 0x0 [0080.775] StrStrW (lpFirst="vJHGxh-.png", lpSrch="ntuser.ini") returned 0x0 [0080.775] StrStrW (lpFirst="vJHGxh-.png", lpSrch="NTUSER.INI") returned 0x0 [0080.775] StrStrW (lpFirst="vJHGxh-.png", lpSrch="AUTOEXEC.BAT") returned 0x0 [0080.775] StrStrW (lpFirst="vJHGxh-.png", lpSrch="autoexec.bat") returned 0x0 [0080.775] StrStrW (lpFirst="vJHGxh-.png", lpSrch=".Clop") returned 0x0 [0080.775] StrStrW (lpFirst="vJHGxh-.png", lpSrch="NTDETECT.COM") returned 0x0 [0080.775] StrStrW (lpFirst="vJHGxh-.png", lpSrch="ntdetect.com") returned 0x0 [0080.775] StrStrW (lpFirst="vJHGxh-.png", lpSrch=".dll") returned 0x0 [0080.775] StrStrW (lpFirst="vJHGxh-.png", lpSrch=".DLL") returned 0x0 [0080.775] StrStrW (lpFirst="vJHGxh-.png", lpSrch=".exe") returned 0x0 [0080.775] StrStrW (lpFirst="vJHGxh-.png", lpSrch=".EXE") returned 0x0 [0080.775] StrStrW (lpFirst="vJHGxh-.png", lpSrch=".sys") returned 0x0 [0080.775] StrStrW (lpFirst="vJHGxh-.png", lpSrch=".SYS") returned 0x0 [0080.775] StrStrW (lpFirst="vJHGxh-.png", lpSrch=".OCX") returned 0x0 [0080.775] StrStrW (lpFirst="vJHGxh-.png", lpSrch=".ocx") returned 0x0 [0080.775] StrStrW (lpFirst="vJHGxh-.png", lpSrch=".LNK") returned 0x0 [0080.776] StrStrW (lpFirst="vJHGxh-.png", lpSrch=".lnk") returned 0x0 [0080.776] wsprintfW (in: param_1=0x19f3a0, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned 30 [0080.776] lstrcpyA (in: lpString1=0x19de08, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0080.776] lstrcpyW (in: lpString1=0x19e366, lpString2="vJHGxh-.png" | out: lpString1="vJHGxh-.png") returned="vJHGxh-.png" [0080.776] lstrcpyW (in: lpString1=0x19df66, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0080.776] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19de08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2ec [0080.776] WaitForSingleObject (hHandle=0x2ec, dwMilliseconds=0xffffffff) returned 0x0 [0080.883] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0080.883] lstrcmpW (lpString1="VUe3zwqA.bmp", lpString2="..") returned 1 [0080.883] lstrcmpW (lpString1="VUe3zwqA.bmp", lpString2=".") returned 1 [0080.883] StrStrW (lpFirst="VUe3zwqA.bmp", lpSrch="ClopReadMe.txt") returned 0x0 [0080.883] StrStrW (lpFirst="VUe3zwqA.bmp", lpSrch="ntldr") returned 0x0 [0080.883] StrStrW (lpFirst="VUe3zwqA.bmp", lpSrch="NTLDR") returned 0x0 [0080.883] StrStrW (lpFirst="VUe3zwqA.bmp", lpSrch="boot.ini") returned 0x0 [0080.883] StrStrW (lpFirst="VUe3zwqA.bmp", lpSrch="BOOT.INI") returned 0x0 [0080.883] StrStrW (lpFirst="VUe3zwqA.bmp", lpSrch="ntuser.ini") returned 0x0 [0080.883] StrStrW (lpFirst="VUe3zwqA.bmp", lpSrch="NTUSER.INI") returned 0x0 [0080.883] StrStrW (lpFirst="VUe3zwqA.bmp", lpSrch="AUTOEXEC.BAT") returned 0x0 [0080.883] StrStrW (lpFirst="VUe3zwqA.bmp", lpSrch="autoexec.bat") returned 0x0 [0080.883] StrStrW (lpFirst="VUe3zwqA.bmp", lpSrch=".Clop") returned 0x0 [0080.884] StrStrW (lpFirst="VUe3zwqA.bmp", lpSrch="NTDETECT.COM") returned 0x0 [0080.884] StrStrW (lpFirst="VUe3zwqA.bmp", lpSrch="ntdetect.com") returned 0x0 [0080.884] StrStrW (lpFirst="VUe3zwqA.bmp", lpSrch=".dll") returned 0x0 [0080.884] StrStrW (lpFirst="VUe3zwqA.bmp", lpSrch=".DLL") returned 0x0 [0080.884] StrStrW (lpFirst="VUe3zwqA.bmp", lpSrch=".exe") returned 0x0 [0080.884] StrStrW (lpFirst="VUe3zwqA.bmp", lpSrch=".EXE") returned 0x0 [0080.884] StrStrW (lpFirst="VUe3zwqA.bmp", lpSrch=".sys") returned 0x0 [0080.884] StrStrW (lpFirst="VUe3zwqA.bmp", lpSrch=".SYS") returned 0x0 [0080.884] StrStrW (lpFirst="VUe3zwqA.bmp", lpSrch=".OCX") returned 0x0 [0080.884] StrStrW (lpFirst="VUe3zwqA.bmp", lpSrch=".ocx") returned 0x0 [0080.884] StrStrW (lpFirst="VUe3zwqA.bmp", lpSrch=".LNK") returned 0x0 [0080.884] StrStrW (lpFirst="VUe3zwqA.bmp", lpSrch=".lnk") returned 0x0 [0080.884] wsprintfW (in: param_1=0x19f3a0, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned 30 [0080.884] lstrcpyA (in: lpString1=0x19de08, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0080.884] lstrcpyW (in: lpString1=0x19e366, lpString2="VUe3zwqA.bmp" | out: lpString1="VUe3zwqA.bmp") returned="VUe3zwqA.bmp" [0080.884] lstrcpyW (in: lpString1=0x19df66, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0080.884] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19de08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2f0 [0080.884] WaitForSingleObject (hHandle=0x2f0, dwMilliseconds=0xffffffff) returned 0x0 [0080.983] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0080.983] lstrcmpW (lpString1="XX4thRNGxg6Fuju-.gif", lpString2="..") returned 1 [0080.983] lstrcmpW (lpString1="XX4thRNGxg6Fuju-.gif", lpString2=".") returned 1 [0080.983] StrStrW (lpFirst="XX4thRNGxg6Fuju-.gif", lpSrch="ClopReadMe.txt") returned 0x0 [0080.983] StrStrW (lpFirst="XX4thRNGxg6Fuju-.gif", lpSrch="ntldr") returned 0x0 [0080.983] StrStrW (lpFirst="XX4thRNGxg6Fuju-.gif", lpSrch="NTLDR") returned 0x0 [0080.983] StrStrW (lpFirst="XX4thRNGxg6Fuju-.gif", lpSrch="boot.ini") returned 0x0 [0080.983] StrStrW (lpFirst="XX4thRNGxg6Fuju-.gif", lpSrch="BOOT.INI") returned 0x0 [0080.983] StrStrW (lpFirst="XX4thRNGxg6Fuju-.gif", lpSrch="ntuser.ini") returned 0x0 [0080.983] StrStrW (lpFirst="XX4thRNGxg6Fuju-.gif", lpSrch="NTUSER.INI") returned 0x0 [0080.983] StrStrW (lpFirst="XX4thRNGxg6Fuju-.gif", lpSrch="AUTOEXEC.BAT") returned 0x0 [0080.983] StrStrW (lpFirst="XX4thRNGxg6Fuju-.gif", lpSrch="autoexec.bat") returned 0x0 [0080.983] StrStrW (lpFirst="XX4thRNGxg6Fuju-.gif", lpSrch=".Clop") returned 0x0 [0080.983] StrStrW (lpFirst="XX4thRNGxg6Fuju-.gif", lpSrch="NTDETECT.COM") returned 0x0 [0080.984] StrStrW (lpFirst="XX4thRNGxg6Fuju-.gif", lpSrch="ntdetect.com") returned 0x0 [0080.984] StrStrW (lpFirst="XX4thRNGxg6Fuju-.gif", lpSrch=".dll") returned 0x0 [0080.984] StrStrW (lpFirst="XX4thRNGxg6Fuju-.gif", lpSrch=".DLL") returned 0x0 [0080.984] StrStrW (lpFirst="XX4thRNGxg6Fuju-.gif", lpSrch=".exe") returned 0x0 [0080.984] StrStrW (lpFirst="XX4thRNGxg6Fuju-.gif", lpSrch=".EXE") returned 0x0 [0080.984] StrStrW (lpFirst="XX4thRNGxg6Fuju-.gif", lpSrch=".sys") returned 0x0 [0080.984] StrStrW (lpFirst="XX4thRNGxg6Fuju-.gif", lpSrch=".SYS") returned 0x0 [0080.984] StrStrW (lpFirst="XX4thRNGxg6Fuju-.gif", lpSrch=".OCX") returned 0x0 [0080.984] StrStrW (lpFirst="XX4thRNGxg6Fuju-.gif", lpSrch=".ocx") returned 0x0 [0080.984] StrStrW (lpFirst="XX4thRNGxg6Fuju-.gif", lpSrch=".LNK") returned 0x0 [0080.984] StrStrW (lpFirst="XX4thRNGxg6Fuju-.gif", lpSrch=".lnk") returned 0x0 [0080.984] wsprintfW (in: param_1=0x19f3a0, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned 30 [0080.984] lstrcpyA (in: lpString1=0x19de08, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0080.984] lstrcpyW (in: lpString1=0x19e366, lpString2="XX4thRNGxg6Fuju-.gif" | out: lpString1="XX4thRNGxg6Fuju-.gif") returned="XX4thRNGxg6Fuju-.gif" [0080.984] lstrcpyW (in: lpString1=0x19df66, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0080.984] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19de08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2f4 [0080.984] WaitForSingleObject (hHandle=0x2f4, dwMilliseconds=0xffffffff) returned 0x0 [0081.039] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0081.039] lstrcmpW (lpString1="YPIwdbokYQ4R 4UIuz5l.swf", lpString2="..") returned 1 [0081.039] lstrcmpW (lpString1="YPIwdbokYQ4R 4UIuz5l.swf", lpString2=".") returned 1 [0081.039] StrStrW (lpFirst="YPIwdbokYQ4R 4UIuz5l.swf", lpSrch="ClopReadMe.txt") returned 0x0 [0081.039] StrStrW (lpFirst="YPIwdbokYQ4R 4UIuz5l.swf", lpSrch="ntldr") returned 0x0 [0081.039] StrStrW (lpFirst="YPIwdbokYQ4R 4UIuz5l.swf", lpSrch="NTLDR") returned 0x0 [0081.039] StrStrW (lpFirst="YPIwdbokYQ4R 4UIuz5l.swf", lpSrch="boot.ini") returned 0x0 [0081.039] StrStrW (lpFirst="YPIwdbokYQ4R 4UIuz5l.swf", lpSrch="BOOT.INI") returned 0x0 [0081.039] StrStrW (lpFirst="YPIwdbokYQ4R 4UIuz5l.swf", lpSrch="ntuser.ini") returned 0x0 [0081.039] StrStrW (lpFirst="YPIwdbokYQ4R 4UIuz5l.swf", lpSrch="NTUSER.INI") returned 0x0 [0081.039] StrStrW (lpFirst="YPIwdbokYQ4R 4UIuz5l.swf", lpSrch="AUTOEXEC.BAT") returned 0x0 [0081.039] StrStrW (lpFirst="YPIwdbokYQ4R 4UIuz5l.swf", lpSrch="autoexec.bat") returned 0x0 [0081.039] StrStrW (lpFirst="YPIwdbokYQ4R 4UIuz5l.swf", lpSrch=".Clop") returned 0x0 [0081.039] StrStrW (lpFirst="YPIwdbokYQ4R 4UIuz5l.swf", lpSrch="NTDETECT.COM") returned 0x0 [0081.039] StrStrW (lpFirst="YPIwdbokYQ4R 4UIuz5l.swf", lpSrch="ntdetect.com") returned 0x0 [0081.039] StrStrW (lpFirst="YPIwdbokYQ4R 4UIuz5l.swf", lpSrch=".dll") returned 0x0 [0081.039] StrStrW (lpFirst="YPIwdbokYQ4R 4UIuz5l.swf", lpSrch=".DLL") returned 0x0 [0081.039] StrStrW (lpFirst="YPIwdbokYQ4R 4UIuz5l.swf", lpSrch=".exe") returned 0x0 [0081.039] StrStrW (lpFirst="YPIwdbokYQ4R 4UIuz5l.swf", lpSrch=".EXE") returned 0x0 [0081.039] StrStrW (lpFirst="YPIwdbokYQ4R 4UIuz5l.swf", lpSrch=".sys") returned 0x0 [0081.039] StrStrW (lpFirst="YPIwdbokYQ4R 4UIuz5l.swf", lpSrch=".SYS") returned 0x0 [0081.039] StrStrW (lpFirst="YPIwdbokYQ4R 4UIuz5l.swf", lpSrch=".OCX") returned 0x0 [0081.039] StrStrW (lpFirst="YPIwdbokYQ4R 4UIuz5l.swf", lpSrch=".ocx") returned 0x0 [0081.039] StrStrW (lpFirst="YPIwdbokYQ4R 4UIuz5l.swf", lpSrch=".LNK") returned 0x0 [0081.039] StrStrW (lpFirst="YPIwdbokYQ4R 4UIuz5l.swf", lpSrch=".lnk") returned 0x0 [0081.039] wsprintfW (in: param_1=0x19f3a0, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned 30 [0081.039] lstrcpyA (in: lpString1=0x19de08, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0081.039] lstrcpyW (in: lpString1=0x19e366, lpString2="YPIwdbokYQ4R 4UIuz5l.swf" | out: lpString1="YPIwdbokYQ4R 4UIuz5l.swf") returned="YPIwdbokYQ4R 4UIuz5l.swf" [0081.039] lstrcpyW (in: lpString1=0x19df66, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0081.039] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19de08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2f8 [0081.040] WaitForSingleObject (hHandle=0x2f8, dwMilliseconds=0xffffffff) returned 0x0 [0081.096] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 0 [0081.096] FindClose (in: hFindFile=0x243878 | out: hFindFile=0x243878) returned 1 [0081.096] FindClose (in: hFindFile=0x243878 | out: hFindFile=0x243878) returned 0 [0081.097] lstrcpyW (in: lpString1=0x19eb80, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop" [0081.097] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop", lpString2="\\*.*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\*.*") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\*.*" [0081.097] SetErrorMode (uMode=0x1) returned 0x1 [0081.097] wsprintfW (in: param_1=0x19d77c, param_2="%s\\ClopReadMe.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ClopReadMe.txt") returned 44 [0081.097] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ClopReadMe.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\clopreadme.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0081.097] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0081.097] FindResourceW (hModule=0x400000, lpName=0xb207, lpType="SIXSIX") returned 0x418748 [0081.097] LoadResource (hModule=0x400000, hResInfo=0x418748) returned 0x418af0 [0081.097] LockResource (hResData=0x418af0) returned 0x418af0 [0081.097] SizeofResource (hModule=0x400000, hResInfo=0x418748) returned 0x5b9 [0081.097] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ClopReadMe.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\clopreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x25c [0081.098] WriteFile (in: hFile=0x25c, lpBuffer=0x25afb8*, nNumberOfBytesToWrite=0x5b9, lpNumberOfBytesWritten=0x19d774, lpOverlapped=0x0 | out: lpBuffer=0x25afb8*, lpNumberOfBytesWritten=0x19d774*=0x5b9, lpOverlapped=0x0) returned 1 [0081.099] CloseHandle (hObject=0x25c) returned 1 [0081.101] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\*.*", lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 0x243878 [0081.101] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpSrch="Chrome") returned 0x0 [0081.101] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpSrch="Mozilla") returned 0x0 [0081.101] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpSrch="Recycle.bin") returned 0x0 [0081.101] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpSrch="Microsoft") returned 0x0 [0081.101] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpSrch="AhnLab") returned 0x0 [0081.101] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpSrch="Windows") returned 0x0 [0081.101] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpSrch="All Users") returned 0x0 [0081.101] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpSrch="ProgramData") returned 0x0 [0081.101] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpSrch="Program Files (x86)") returned 0x0 [0081.101] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpSrch="PROGRAM FILES (X86)") returned 0x0 [0081.101] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpSrch="Program Files") returned 0x0 [0081.101] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpSrch="PROGRAM FILES") returned 0x0 [0081.101] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0081.101] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.101] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0081.101] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.101] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0081.102] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0081.102] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0081.102] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0081.102] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0081.102] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0081.102] lstrcmpW (lpString1="843Dy1Ix8Wm9w9PNS", lpString2="..") returned 1 [0081.102] lstrcmpW (lpString1="843Dy1Ix8Wm9w9PNS", lpString2=".") returned 1 [0081.102] lstrcpyW (in: lpString1=0x19ef90, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop" [0081.102] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0081.102] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="843Dy1Ix8Wm9w9PNS" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS" [0081.102] SetErrorMode (uMode=0x1) returned 0x1 [0081.102] lstrcpyW (in: lpString1=0x19cf50, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS" [0081.102] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\" [0081.102] lstrcpyW (in: lpString1=0x19cb40, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\" [0081.102] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\", lpString2="*.*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\*.*") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\*.*" [0081.102] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\*.*", lpFindFileData=0x19bf88 | out: lpFindFileData=0x19bf88) returned 0x243978 [0081.102] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\", lpSrch="Chrome") returned 0x0 [0081.102] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\", lpSrch="Mozilla") returned 0x0 [0081.102] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\", lpSrch="Recycle.bin") returned 0x0 [0081.102] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\", lpSrch="Microsoft") returned 0x0 [0081.102] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\", lpSrch="AhnLab") returned 0x0 [0081.102] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\", lpSrch="Windows") returned 0x0 [0081.102] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\", lpSrch="All Users") returned 0x0 [0081.102] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\", lpSrch="ProgramData") returned 0x0 [0081.102] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\", lpSrch="Program Files (x86)") returned 0x0 [0081.102] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\", lpSrch="PROGRAM FILES (X86)") returned 0x0 [0081.102] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\", lpSrch="Program Files") returned 0x0 [0081.102] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\", lpSrch="PROGRAM FILES") returned 0x0 [0081.102] FindNextFileW (in: hFindFile=0x243978, lpFindFileData=0x19bf88 | out: lpFindFileData=0x19bf88) returned 1 [0081.103] FindNextFileW (in: hFindFile=0x243978, lpFindFileData=0x19bf88 | out: lpFindFileData=0x19bf88) returned 1 [0081.103] lstrcmpW (lpString1="3cM9klXep32Nuxcrw.m4a", lpString2="..") returned 1 [0081.103] lstrcmpW (lpString1="3cM9klXep32Nuxcrw.m4a", lpString2=".") returned 1 [0081.103] StrStrW (lpFirst="3cM9klXep32Nuxcrw.m4a", lpSrch="ClopReadMe.txt") returned 0x0 [0081.103] StrStrW (lpFirst="3cM9klXep32Nuxcrw.m4a", lpSrch="ntldr") returned 0x0 [0081.103] StrStrW (lpFirst="3cM9klXep32Nuxcrw.m4a", lpSrch="NTLDR") returned 0x0 [0081.103] StrStrW (lpFirst="3cM9klXep32Nuxcrw.m4a", lpSrch="boot.ini") returned 0x0 [0081.103] StrStrW (lpFirst="3cM9klXep32Nuxcrw.m4a", lpSrch="BOOT.INI") returned 0x0 [0081.103] StrStrW (lpFirst="3cM9klXep32Nuxcrw.m4a", lpSrch="ntuser.ini") returned 0x0 [0081.103] StrStrW (lpFirst="3cM9klXep32Nuxcrw.m4a", lpSrch="NTUSER.INI") returned 0x0 [0081.103] StrStrW (lpFirst="3cM9klXep32Nuxcrw.m4a", lpSrch="AUTOEXEC.BAT") returned 0x0 [0081.103] StrStrW (lpFirst="3cM9klXep32Nuxcrw.m4a", lpSrch="autoexec.bat") returned 0x0 [0081.103] StrStrW (lpFirst="3cM9klXep32Nuxcrw.m4a", lpSrch=".Clop") returned 0x0 [0081.103] StrStrW (lpFirst="3cM9klXep32Nuxcrw.m4a", lpSrch="NTDETECT.COM") returned 0x0 [0081.103] StrStrW (lpFirst="3cM9klXep32Nuxcrw.m4a", lpSrch="ntdetect.com") returned 0x0 [0081.103] StrStrW (lpFirst="3cM9klXep32Nuxcrw.m4a", lpSrch=".dll") returned 0x0 [0081.103] StrStrW (lpFirst="3cM9klXep32Nuxcrw.m4a", lpSrch=".DLL") returned 0x0 [0081.103] StrStrW (lpFirst="3cM9klXep32Nuxcrw.m4a", lpSrch=".exe") returned 0x0 [0081.103] StrStrW (lpFirst="3cM9klXep32Nuxcrw.m4a", lpSrch=".EXE") returned 0x0 [0081.103] StrStrW (lpFirst="3cM9klXep32Nuxcrw.m4a", lpSrch=".sys") returned 0x0 [0081.103] StrStrW (lpFirst="3cM9klXep32Nuxcrw.m4a", lpSrch=".SYS") returned 0x0 [0081.103] StrStrW (lpFirst="3cM9klXep32Nuxcrw.m4a", lpSrch=".OCX") returned 0x0 [0081.103] StrStrW (lpFirst="3cM9klXep32Nuxcrw.m4a", lpSrch=".ocx") returned 0x0 [0081.103] StrStrW (lpFirst="3cM9klXep32Nuxcrw.m4a", lpSrch=".LNK") returned 0x0 [0081.103] StrStrW (lpFirst="3cM9klXep32Nuxcrw.m4a", lpSrch=".lnk") returned 0x0 [0081.103] wsprintfW (in: param_1=0x19d770, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\") returned 48 [0081.103] lstrcpyA (in: lpString1=0x19c1d8, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0081.103] lstrcpyW (in: lpString1=0x19c736, lpString2="3cM9klXep32Nuxcrw.m4a" | out: lpString1="3cM9klXep32Nuxcrw.m4a") returned="3cM9klXep32Nuxcrw.m4a" [0081.103] lstrcpyW (in: lpString1=0x19c336, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\" [0081.104] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19c1d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x304 [0081.104] WaitForSingleObject (hHandle=0x304, dwMilliseconds=0xffffffff) returned 0x0 [0081.394] FindNextFileW (in: hFindFile=0x243978, lpFindFileData=0x19bf88 | out: lpFindFileData=0x19bf88) returned 1 [0081.394] lstrcmpW (lpString1="e4VC-WbG.pptx", lpString2="..") returned 1 [0081.394] lstrcmpW (lpString1="e4VC-WbG.pptx", lpString2=".") returned 1 [0081.394] StrStrW (lpFirst="e4VC-WbG.pptx", lpSrch="ClopReadMe.txt") returned 0x0 [0081.394] StrStrW (lpFirst="e4VC-WbG.pptx", lpSrch="ntldr") returned 0x0 [0081.394] StrStrW (lpFirst="e4VC-WbG.pptx", lpSrch="NTLDR") returned 0x0 [0081.394] StrStrW (lpFirst="e4VC-WbG.pptx", lpSrch="boot.ini") returned 0x0 [0081.394] StrStrW (lpFirst="e4VC-WbG.pptx", lpSrch="BOOT.INI") returned 0x0 [0081.394] StrStrW (lpFirst="e4VC-WbG.pptx", lpSrch="ntuser.ini") returned 0x0 [0081.394] StrStrW (lpFirst="e4VC-WbG.pptx", lpSrch="NTUSER.INI") returned 0x0 [0081.394] StrStrW (lpFirst="e4VC-WbG.pptx", lpSrch="AUTOEXEC.BAT") returned 0x0 [0081.394] StrStrW (lpFirst="e4VC-WbG.pptx", lpSrch="autoexec.bat") returned 0x0 [0081.394] StrStrW (lpFirst="e4VC-WbG.pptx", lpSrch=".Clop") returned 0x0 [0081.394] StrStrW (lpFirst="e4VC-WbG.pptx", lpSrch="NTDETECT.COM") returned 0x0 [0081.394] StrStrW (lpFirst="e4VC-WbG.pptx", lpSrch="ntdetect.com") returned 0x0 [0081.395] StrStrW (lpFirst="e4VC-WbG.pptx", lpSrch=".dll") returned 0x0 [0081.395] StrStrW (lpFirst="e4VC-WbG.pptx", lpSrch=".DLL") returned 0x0 [0081.395] StrStrW (lpFirst="e4VC-WbG.pptx", lpSrch=".exe") returned 0x0 [0081.395] StrStrW (lpFirst="e4VC-WbG.pptx", lpSrch=".EXE") returned 0x0 [0081.395] StrStrW (lpFirst="e4VC-WbG.pptx", lpSrch=".sys") returned 0x0 [0081.395] StrStrW (lpFirst="e4VC-WbG.pptx", lpSrch=".SYS") returned 0x0 [0081.395] StrStrW (lpFirst="e4VC-WbG.pptx", lpSrch=".OCX") returned 0x0 [0081.395] StrStrW (lpFirst="e4VC-WbG.pptx", lpSrch=".ocx") returned 0x0 [0081.395] StrStrW (lpFirst="e4VC-WbG.pptx", lpSrch=".LNK") returned 0x0 [0081.395] StrStrW (lpFirst="e4VC-WbG.pptx", lpSrch=".lnk") returned 0x0 [0081.395] wsprintfW (in: param_1=0x19d770, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\") returned 48 [0081.395] lstrcpyA (in: lpString1=0x19c1d8, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0081.395] lstrcpyW (in: lpString1=0x19c736, lpString2="e4VC-WbG.pptx" | out: lpString1="e4VC-WbG.pptx") returned="e4VC-WbG.pptx" [0081.395] lstrcpyW (in: lpString1=0x19c336, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\" [0081.395] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19c1d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0081.397] WaitForSingleObject (hHandle=0x308, dwMilliseconds=0xffffffff) returned 0x0 [0081.497] FindNextFileW (in: hFindFile=0x243978, lpFindFileData=0x19bf88 | out: lpFindFileData=0x19bf88) returned 1 [0081.498] FindNextFileW (in: hFindFile=0x243978, lpFindFileData=0x19bf88 | out: lpFindFileData=0x19bf88) returned 1 [0081.498] lstrcmpW (lpString1="mLjbzi.wav", lpString2="..") returned 1 [0081.498] lstrcmpW (lpString1="mLjbzi.wav", lpString2=".") returned 1 [0081.498] StrStrW (lpFirst="mLjbzi.wav", lpSrch="ClopReadMe.txt") returned 0x0 [0081.498] StrStrW (lpFirst="mLjbzi.wav", lpSrch="ntldr") returned 0x0 [0081.498] StrStrW (lpFirst="mLjbzi.wav", lpSrch="NTLDR") returned 0x0 [0081.498] StrStrW (lpFirst="mLjbzi.wav", lpSrch="boot.ini") returned 0x0 [0081.498] StrStrW (lpFirst="mLjbzi.wav", lpSrch="BOOT.INI") returned 0x0 [0081.498] StrStrW (lpFirst="mLjbzi.wav", lpSrch="ntuser.ini") returned 0x0 [0081.498] StrStrW (lpFirst="mLjbzi.wav", lpSrch="NTUSER.INI") returned 0x0 [0081.498] StrStrW (lpFirst="mLjbzi.wav", lpSrch="AUTOEXEC.BAT") returned 0x0 [0081.498] StrStrW (lpFirst="mLjbzi.wav", lpSrch="autoexec.bat") returned 0x0 [0081.498] StrStrW (lpFirst="mLjbzi.wav", lpSrch=".Clop") returned 0x0 [0081.498] StrStrW (lpFirst="mLjbzi.wav", lpSrch="NTDETECT.COM") returned 0x0 [0081.498] StrStrW (lpFirst="mLjbzi.wav", lpSrch="ntdetect.com") returned 0x0 [0081.498] StrStrW (lpFirst="mLjbzi.wav", lpSrch=".dll") returned 0x0 [0081.498] StrStrW (lpFirst="mLjbzi.wav", lpSrch=".DLL") returned 0x0 [0081.498] StrStrW (lpFirst="mLjbzi.wav", lpSrch=".exe") returned 0x0 [0081.498] StrStrW (lpFirst="mLjbzi.wav", lpSrch=".EXE") returned 0x0 [0081.498] StrStrW (lpFirst="mLjbzi.wav", lpSrch=".sys") returned 0x0 [0081.498] StrStrW (lpFirst="mLjbzi.wav", lpSrch=".SYS") returned 0x0 [0081.498] StrStrW (lpFirst="mLjbzi.wav", lpSrch=".OCX") returned 0x0 [0081.498] StrStrW (lpFirst="mLjbzi.wav", lpSrch=".ocx") returned 0x0 [0081.498] StrStrW (lpFirst="mLjbzi.wav", lpSrch=".LNK") returned 0x0 [0081.498] StrStrW (lpFirst="mLjbzi.wav", lpSrch=".lnk") returned 0x0 [0081.498] wsprintfW (in: param_1=0x19d770, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\") returned 48 [0081.498] lstrcpyA (in: lpString1=0x19c1d8, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0081.498] lstrcpyW (in: lpString1=0x19c736, lpString2="mLjbzi.wav" | out: lpString1="mLjbzi.wav") returned="mLjbzi.wav" [0081.498] lstrcpyW (in: lpString1=0x19c336, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\" [0081.498] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19c1d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x300 [0081.498] WaitForSingleObject (hHandle=0x300, dwMilliseconds=0xffffffff) returned 0x0 [0081.544] FindNextFileW (in: hFindFile=0x243978, lpFindFileData=0x19bf88 | out: lpFindFileData=0x19bf88) returned 1 [0081.544] lstrcmpW (lpString1="q3vEzMh.jpg", lpString2="..") returned 1 [0081.544] lstrcmpW (lpString1="q3vEzMh.jpg", lpString2=".") returned 1 [0081.544] StrStrW (lpFirst="q3vEzMh.jpg", lpSrch="ClopReadMe.txt") returned 0x0 [0081.544] StrStrW (lpFirst="q3vEzMh.jpg", lpSrch="ntldr") returned 0x0 [0081.544] StrStrW (lpFirst="q3vEzMh.jpg", lpSrch="NTLDR") returned 0x0 [0081.544] StrStrW (lpFirst="q3vEzMh.jpg", lpSrch="boot.ini") returned 0x0 [0081.544] StrStrW (lpFirst="q3vEzMh.jpg", lpSrch="BOOT.INI") returned 0x0 [0081.544] StrStrW (lpFirst="q3vEzMh.jpg", lpSrch="ntuser.ini") returned 0x0 [0081.544] StrStrW (lpFirst="q3vEzMh.jpg", lpSrch="NTUSER.INI") returned 0x0 [0081.544] StrStrW (lpFirst="q3vEzMh.jpg", lpSrch="AUTOEXEC.BAT") returned 0x0 [0081.544] StrStrW (lpFirst="q3vEzMh.jpg", lpSrch="autoexec.bat") returned 0x0 [0081.544] StrStrW (lpFirst="q3vEzMh.jpg", lpSrch=".Clop") returned 0x0 [0081.545] StrStrW (lpFirst="q3vEzMh.jpg", lpSrch="NTDETECT.COM") returned 0x0 [0081.545] StrStrW (lpFirst="q3vEzMh.jpg", lpSrch="ntdetect.com") returned 0x0 [0081.545] StrStrW (lpFirst="q3vEzMh.jpg", lpSrch=".dll") returned 0x0 [0081.545] StrStrW (lpFirst="q3vEzMh.jpg", lpSrch=".DLL") returned 0x0 [0081.545] StrStrW (lpFirst="q3vEzMh.jpg", lpSrch=".exe") returned 0x0 [0081.545] StrStrW (lpFirst="q3vEzMh.jpg", lpSrch=".EXE") returned 0x0 [0081.545] StrStrW (lpFirst="q3vEzMh.jpg", lpSrch=".sys") returned 0x0 [0081.545] StrStrW (lpFirst="q3vEzMh.jpg", lpSrch=".SYS") returned 0x0 [0081.545] StrStrW (lpFirst="q3vEzMh.jpg", lpSrch=".OCX") returned 0x0 [0081.545] StrStrW (lpFirst="q3vEzMh.jpg", lpSrch=".ocx") returned 0x0 [0081.545] StrStrW (lpFirst="q3vEzMh.jpg", lpSrch=".LNK") returned 0x0 [0081.545] StrStrW (lpFirst="q3vEzMh.jpg", lpSrch=".lnk") returned 0x0 [0081.545] wsprintfW (in: param_1=0x19d770, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\") returned 48 [0081.545] lstrcpyA (in: lpString1=0x19c1d8, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0081.545] lstrcpyW (in: lpString1=0x19c736, lpString2="q3vEzMh.jpg" | out: lpString1="q3vEzMh.jpg") returned="q3vEzMh.jpg" [0081.545] lstrcpyW (in: lpString1=0x19c336, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\" [0081.545] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19c1d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x30c [0081.545] WaitForSingleObject (hHandle=0x30c, dwMilliseconds=0xffffffff) returned 0x0 [0081.582] FindNextFileW (in: hFindFile=0x243978, lpFindFileData=0x19bf88 | out: lpFindFileData=0x19bf88) returned 1 [0081.582] lstrcmpW (lpString1="tgt23cY kRsq.mkv", lpString2="..") returned 1 [0081.582] lstrcmpW (lpString1="tgt23cY kRsq.mkv", lpString2=".") returned 1 [0081.582] StrStrW (lpFirst="tgt23cY kRsq.mkv", lpSrch="ClopReadMe.txt") returned 0x0 [0081.582] StrStrW (lpFirst="tgt23cY kRsq.mkv", lpSrch="ntldr") returned 0x0 [0081.582] StrStrW (lpFirst="tgt23cY kRsq.mkv", lpSrch="NTLDR") returned 0x0 [0081.582] StrStrW (lpFirst="tgt23cY kRsq.mkv", lpSrch="boot.ini") returned 0x0 [0081.582] StrStrW (lpFirst="tgt23cY kRsq.mkv", lpSrch="BOOT.INI") returned 0x0 [0081.582] StrStrW (lpFirst="tgt23cY kRsq.mkv", lpSrch="ntuser.ini") returned 0x0 [0081.582] StrStrW (lpFirst="tgt23cY kRsq.mkv", lpSrch="NTUSER.INI") returned 0x0 [0081.582] StrStrW (lpFirst="tgt23cY kRsq.mkv", lpSrch="AUTOEXEC.BAT") returned 0x0 [0081.582] StrStrW (lpFirst="tgt23cY kRsq.mkv", lpSrch="autoexec.bat") returned 0x0 [0081.582] StrStrW (lpFirst="tgt23cY kRsq.mkv", lpSrch=".Clop") returned 0x0 [0081.582] StrStrW (lpFirst="tgt23cY kRsq.mkv", lpSrch="NTDETECT.COM") returned 0x0 [0081.582] StrStrW (lpFirst="tgt23cY kRsq.mkv", lpSrch="ntdetect.com") returned 0x0 [0081.582] StrStrW (lpFirst="tgt23cY kRsq.mkv", lpSrch=".dll") returned 0x0 [0081.582] StrStrW (lpFirst="tgt23cY kRsq.mkv", lpSrch=".DLL") returned 0x0 [0081.582] StrStrW (lpFirst="tgt23cY kRsq.mkv", lpSrch=".exe") returned 0x0 [0081.582] StrStrW (lpFirst="tgt23cY kRsq.mkv", lpSrch=".EXE") returned 0x0 [0081.582] StrStrW (lpFirst="tgt23cY kRsq.mkv", lpSrch=".sys") returned 0x0 [0081.582] StrStrW (lpFirst="tgt23cY kRsq.mkv", lpSrch=".SYS") returned 0x0 [0081.582] StrStrW (lpFirst="tgt23cY kRsq.mkv", lpSrch=".OCX") returned 0x0 [0081.582] StrStrW (lpFirst="tgt23cY kRsq.mkv", lpSrch=".ocx") returned 0x0 [0081.582] StrStrW (lpFirst="tgt23cY kRsq.mkv", lpSrch=".LNK") returned 0x0 [0081.582] StrStrW (lpFirst="tgt23cY kRsq.mkv", lpSrch=".lnk") returned 0x0 [0081.582] wsprintfW (in: param_1=0x19d770, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\") returned 48 [0081.582] lstrcpyA (in: lpString1=0x19c1d8, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0081.582] lstrcpyW (in: lpString1=0x19c736, lpString2="tgt23cY kRsq.mkv" | out: lpString1="tgt23cY kRsq.mkv") returned="tgt23cY kRsq.mkv" [0081.582] lstrcpyW (in: lpString1=0x19c336, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\" [0081.582] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19c1d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x310 [0081.583] WaitForSingleObject (hHandle=0x310, dwMilliseconds=0xffffffff) returned 0x0 [0081.637] FindNextFileW (in: hFindFile=0x243978, lpFindFileData=0x19bf88 | out: lpFindFileData=0x19bf88) returned 1 [0081.637] lstrcmpW (lpString1="vHN4y WQ89shIcD.mp3", lpString2="..") returned 1 [0081.637] lstrcmpW (lpString1="vHN4y WQ89shIcD.mp3", lpString2=".") returned 1 [0081.637] StrStrW (lpFirst="vHN4y WQ89shIcD.mp3", lpSrch="ClopReadMe.txt") returned 0x0 [0081.637] StrStrW (lpFirst="vHN4y WQ89shIcD.mp3", lpSrch="ntldr") returned 0x0 [0081.637] StrStrW (lpFirst="vHN4y WQ89shIcD.mp3", lpSrch="NTLDR") returned 0x0 [0081.637] StrStrW (lpFirst="vHN4y WQ89shIcD.mp3", lpSrch="boot.ini") returned 0x0 [0081.637] StrStrW (lpFirst="vHN4y WQ89shIcD.mp3", lpSrch="BOOT.INI") returned 0x0 [0081.637] StrStrW (lpFirst="vHN4y WQ89shIcD.mp3", lpSrch="ntuser.ini") returned 0x0 [0081.638] StrStrW (lpFirst="vHN4y WQ89shIcD.mp3", lpSrch="NTUSER.INI") returned 0x0 [0081.638] StrStrW (lpFirst="vHN4y WQ89shIcD.mp3", lpSrch="AUTOEXEC.BAT") returned 0x0 [0081.638] StrStrW (lpFirst="vHN4y WQ89shIcD.mp3", lpSrch="autoexec.bat") returned 0x0 [0081.638] StrStrW (lpFirst="vHN4y WQ89shIcD.mp3", lpSrch=".Clop") returned 0x0 [0081.638] StrStrW (lpFirst="vHN4y WQ89shIcD.mp3", lpSrch="NTDETECT.COM") returned 0x0 [0081.638] StrStrW (lpFirst="vHN4y WQ89shIcD.mp3", lpSrch="ntdetect.com") returned 0x0 [0081.638] StrStrW (lpFirst="vHN4y WQ89shIcD.mp3", lpSrch=".dll") returned 0x0 [0081.638] StrStrW (lpFirst="vHN4y WQ89shIcD.mp3", lpSrch=".DLL") returned 0x0 [0081.638] StrStrW (lpFirst="vHN4y WQ89shIcD.mp3", lpSrch=".exe") returned 0x0 [0081.638] StrStrW (lpFirst="vHN4y WQ89shIcD.mp3", lpSrch=".EXE") returned 0x0 [0081.638] StrStrW (lpFirst="vHN4y WQ89shIcD.mp3", lpSrch=".sys") returned 0x0 [0081.638] StrStrW (lpFirst="vHN4y WQ89shIcD.mp3", lpSrch=".SYS") returned 0x0 [0081.638] StrStrW (lpFirst="vHN4y WQ89shIcD.mp3", lpSrch=".OCX") returned 0x0 [0081.638] StrStrW (lpFirst="vHN4y WQ89shIcD.mp3", lpSrch=".ocx") returned 0x0 [0081.638] StrStrW (lpFirst="vHN4y WQ89shIcD.mp3", lpSrch=".LNK") returned 0x0 [0081.638] StrStrW (lpFirst="vHN4y WQ89shIcD.mp3", lpSrch=".lnk") returned 0x0 [0081.638] wsprintfW (in: param_1=0x19d770, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\") returned 48 [0081.638] lstrcpyA (in: lpString1=0x19c1d8, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0081.638] lstrcpyW (in: lpString1=0x19c736, lpString2="vHN4y WQ89shIcD.mp3" | out: lpString1="vHN4y WQ89shIcD.mp3") returned="vHN4y WQ89shIcD.mp3" [0081.638] lstrcpyW (in: lpString1=0x19c336, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\" [0081.638] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19c1d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x314 [0081.638] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0xffffffff) returned 0x0 [0081.683] FindNextFileW (in: hFindFile=0x243978, lpFindFileData=0x19bf88 | out: lpFindFileData=0x19bf88) returned 1 [0081.683] FindNextFileW (in: hFindFile=0x243978, lpFindFileData=0x19bf88 | out: lpFindFileData=0x19bf88) returned 0 [0081.683] FindClose (in: hFindFile=0x243978 | out: hFindFile=0x243978) returned 1 [0081.684] FindClose (in: hFindFile=0x243978 | out: hFindFile=0x243978) returned 0 [0081.684] lstrcpyW (in: lpString1=0x19cf50, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS" [0081.684] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS", lpString2="\\*.*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\*.*") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\*.*" [0081.684] SetErrorMode (uMode=0x1) returned 0x1 [0081.684] wsprintfW (in: param_1=0x19bb4c, param_2="%s\\ClopReadMe.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\ClopReadMe.txt") returned 62 [0081.684] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\ClopReadMe.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\clopreadme.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0081.684] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0081.684] FindResourceW (hModule=0x400000, lpName=0xb207, lpType="SIXSIX") returned 0x418748 [0081.684] LoadResource (hModule=0x400000, hResInfo=0x418748) returned 0x418af0 [0081.684] LockResource (hResData=0x418af0) returned 0x418af0 [0081.684] SizeofResource (hModule=0x400000, hResInfo=0x418748) returned 0x5b9 [0081.685] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\ClopReadMe.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\clopreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2fc [0081.685] WriteFile (in: hFile=0x2fc, lpBuffer=0x25afb8*, nNumberOfBytesToWrite=0x5b9, lpNumberOfBytesWritten=0x19bb44, lpOverlapped=0x0 | out: lpBuffer=0x25afb8*, lpNumberOfBytesWritten=0x19bb44*=0x5b9, lpOverlapped=0x0) returned 1 [0081.686] CloseHandle (hObject=0x2fc) returned 1 [0081.687] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\*.*", lpFindFileData=0x19bf88 | out: lpFindFileData=0x19bf88) returned 0x243978 [0081.687] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\", lpSrch="Chrome") returned 0x0 [0081.687] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\", lpSrch="Mozilla") returned 0x0 [0081.687] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\", lpSrch="Recycle.bin") returned 0x0 [0081.687] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\", lpSrch="Microsoft") returned 0x0 [0081.687] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\", lpSrch="AhnLab") returned 0x0 [0081.687] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\", lpSrch="Windows") returned 0x0 [0081.687] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\", lpSrch="All Users") returned 0x0 [0081.687] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\", lpSrch="ProgramData") returned 0x0 [0081.687] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\", lpSrch="Program Files (x86)") returned 0x0 [0081.687] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\", lpSrch="PROGRAM FILES (X86)") returned 0x0 [0081.687] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\", lpSrch="Program Files") returned 0x0 [0081.687] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\", lpSrch="PROGRAM FILES") returned 0x0 [0081.687] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0081.687] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.687] FindNextFileW (in: hFindFile=0x243978, lpFindFileData=0x19bf88 | out: lpFindFileData=0x19bf88) returned 1 [0081.687] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.687] FindNextFileW (in: hFindFile=0x243978, lpFindFileData=0x19bf88 | out: lpFindFileData=0x19bf88) returned 1 [0081.687] FindNextFileW (in: hFindFile=0x243978, lpFindFileData=0x19bf88 | out: lpFindFileData=0x19bf88) returned 1 [0081.687] FindNextFileW (in: hFindFile=0x243978, lpFindFileData=0x19bf88 | out: lpFindFileData=0x19bf88) returned 1 [0081.687] FindNextFileW (in: hFindFile=0x243978, lpFindFileData=0x19bf88 | out: lpFindFileData=0x19bf88) returned 1 [0081.687] lstrcmpW (lpString1="EmFSG8fVo9kfhE4JVd", lpString2="..") returned 1 [0081.687] lstrcmpW (lpString1="EmFSG8fVo9kfhE4JVd", lpString2=".") returned 1 [0081.687] lstrcpyW (in: lpString1=0x19d360, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS" [0081.687] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\" [0081.687] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\", lpString2="EmFSG8fVo9kfhE4JVd" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd" [0081.687] SetErrorMode (uMode=0x1) returned 0x1 [0081.687] lstrcpyW (in: lpString1=0x19b320, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd" [0081.687] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\" [0081.687] lstrcpyW (in: lpString1=0x19af10, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\" [0081.687] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\", lpString2="*.*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\*.*") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\*.*" [0081.687] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\*.*", lpFindFileData=0x19a358 | out: lpFindFileData=0x19a358) returned 0x2434b8 [0081.688] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\", lpSrch="Chrome") returned 0x0 [0081.688] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\", lpSrch="Mozilla") returned 0x0 [0081.688] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\", lpSrch="Recycle.bin") returned 0x0 [0081.688] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\", lpSrch="Microsoft") returned 0x0 [0081.688] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\", lpSrch="AhnLab") returned 0x0 [0081.688] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\", lpSrch="Windows") returned 0x0 [0081.688] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\", lpSrch="All Users") returned 0x0 [0081.688] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\", lpSrch="ProgramData") returned 0x0 [0081.688] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\", lpSrch="Program Files (x86)") returned 0x0 [0081.688] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\", lpSrch="PROGRAM FILES (X86)") returned 0x0 [0081.688] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\", lpSrch="Program Files") returned 0x0 [0081.688] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\", lpSrch="PROGRAM FILES") returned 0x0 [0081.688] FindNextFileW (in: hFindFile=0x2434b8, lpFindFileData=0x19a358 | out: lpFindFileData=0x19a358) returned 1 [0081.688] FindNextFileW (in: hFindFile=0x2434b8, lpFindFileData=0x19a358 | out: lpFindFileData=0x19a358) returned 1 [0081.688] lstrcmpW (lpString1="3rZJbwvUH5.mp3", lpString2="..") returned 1 [0081.688] lstrcmpW (lpString1="3rZJbwvUH5.mp3", lpString2=".") returned 1 [0081.688] StrStrW (lpFirst="3rZJbwvUH5.mp3", lpSrch="ClopReadMe.txt") returned 0x0 [0081.688] StrStrW (lpFirst="3rZJbwvUH5.mp3", lpSrch="ntldr") returned 0x0 [0081.688] StrStrW (lpFirst="3rZJbwvUH5.mp3", lpSrch="NTLDR") returned 0x0 [0081.688] StrStrW (lpFirst="3rZJbwvUH5.mp3", lpSrch="boot.ini") returned 0x0 [0081.688] StrStrW (lpFirst="3rZJbwvUH5.mp3", lpSrch="BOOT.INI") returned 0x0 [0081.688] StrStrW (lpFirst="3rZJbwvUH5.mp3", lpSrch="ntuser.ini") returned 0x0 [0081.688] StrStrW (lpFirst="3rZJbwvUH5.mp3", lpSrch="NTUSER.INI") returned 0x0 [0081.688] StrStrW (lpFirst="3rZJbwvUH5.mp3", lpSrch="AUTOEXEC.BAT") returned 0x0 [0081.688] StrStrW (lpFirst="3rZJbwvUH5.mp3", lpSrch="autoexec.bat") returned 0x0 [0081.688] StrStrW (lpFirst="3rZJbwvUH5.mp3", lpSrch=".Clop") returned 0x0 [0081.688] StrStrW (lpFirst="3rZJbwvUH5.mp3", lpSrch="NTDETECT.COM") returned 0x0 [0081.688] StrStrW (lpFirst="3rZJbwvUH5.mp3", lpSrch="ntdetect.com") returned 0x0 [0081.688] StrStrW (lpFirst="3rZJbwvUH5.mp3", lpSrch=".dll") returned 0x0 [0081.688] StrStrW (lpFirst="3rZJbwvUH5.mp3", lpSrch=".DLL") returned 0x0 [0081.688] StrStrW (lpFirst="3rZJbwvUH5.mp3", lpSrch=".exe") returned 0x0 [0081.688] StrStrW (lpFirst="3rZJbwvUH5.mp3", lpSrch=".EXE") returned 0x0 [0081.688] StrStrW (lpFirst="3rZJbwvUH5.mp3", lpSrch=".sys") returned 0x0 [0081.688] StrStrW (lpFirst="3rZJbwvUH5.mp3", lpSrch=".SYS") returned 0x0 [0081.689] StrStrW (lpFirst="3rZJbwvUH5.mp3", lpSrch=".OCX") returned 0x0 [0081.689] StrStrW (lpFirst="3rZJbwvUH5.mp3", lpSrch=".ocx") returned 0x0 [0081.689] StrStrW (lpFirst="3rZJbwvUH5.mp3", lpSrch=".LNK") returned 0x0 [0081.689] StrStrW (lpFirst="3rZJbwvUH5.mp3", lpSrch=".lnk") returned 0x0 [0081.689] wsprintfW (in: param_1=0x19bb40, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\") returned 67 [0081.689] lstrcpyA (in: lpString1=0x19a5a8, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0081.689] lstrcpyW (in: lpString1=0x19ab06, lpString2="3rZJbwvUH5.mp3" | out: lpString1="3rZJbwvUH5.mp3") returned="3rZJbwvUH5.mp3" [0081.689] lstrcpyW (in: lpString1=0x19a706, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\" [0081.689] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19a5a8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x320 [0081.689] WaitForSingleObject (hHandle=0x320, dwMilliseconds=0xffffffff) returned 0x0 [0081.734] FindNextFileW (in: hFindFile=0x2434b8, lpFindFileData=0x19a358 | out: lpFindFileData=0x19a358) returned 1 [0081.734] lstrcmpW (lpString1="8E6wl_qLQCNpnO.png", lpString2="..") returned 1 [0081.734] lstrcmpW (lpString1="8E6wl_qLQCNpnO.png", lpString2=".") returned 1 [0081.734] StrStrW (lpFirst="8E6wl_qLQCNpnO.png", lpSrch="ClopReadMe.txt") returned 0x0 [0081.734] StrStrW (lpFirst="8E6wl_qLQCNpnO.png", lpSrch="ntldr") returned 0x0 [0081.734] StrStrW (lpFirst="8E6wl_qLQCNpnO.png", lpSrch="NTLDR") returned 0x0 [0081.734] StrStrW (lpFirst="8E6wl_qLQCNpnO.png", lpSrch="boot.ini") returned 0x0 [0081.734] StrStrW (lpFirst="8E6wl_qLQCNpnO.png", lpSrch="BOOT.INI") returned 0x0 [0081.734] StrStrW (lpFirst="8E6wl_qLQCNpnO.png", lpSrch="ntuser.ini") returned 0x0 [0081.734] StrStrW (lpFirst="8E6wl_qLQCNpnO.png", lpSrch="NTUSER.INI") returned 0x0 [0081.734] StrStrW (lpFirst="8E6wl_qLQCNpnO.png", lpSrch="AUTOEXEC.BAT") returned 0x0 [0081.735] StrStrW (lpFirst="8E6wl_qLQCNpnO.png", lpSrch="autoexec.bat") returned 0x0 [0081.735] StrStrW (lpFirst="8E6wl_qLQCNpnO.png", lpSrch=".Clop") returned 0x0 [0081.735] StrStrW (lpFirst="8E6wl_qLQCNpnO.png", lpSrch="NTDETECT.COM") returned 0x0 [0081.735] StrStrW (lpFirst="8E6wl_qLQCNpnO.png", lpSrch="ntdetect.com") returned 0x0 [0081.735] StrStrW (lpFirst="8E6wl_qLQCNpnO.png", lpSrch=".dll") returned 0x0 [0081.735] StrStrW (lpFirst="8E6wl_qLQCNpnO.png", lpSrch=".DLL") returned 0x0 [0081.735] StrStrW (lpFirst="8E6wl_qLQCNpnO.png", lpSrch=".exe") returned 0x0 [0081.735] StrStrW (lpFirst="8E6wl_qLQCNpnO.png", lpSrch=".EXE") returned 0x0 [0081.735] StrStrW (lpFirst="8E6wl_qLQCNpnO.png", lpSrch=".sys") returned 0x0 [0081.735] StrStrW (lpFirst="8E6wl_qLQCNpnO.png", lpSrch=".SYS") returned 0x0 [0081.735] StrStrW (lpFirst="8E6wl_qLQCNpnO.png", lpSrch=".OCX") returned 0x0 [0081.735] StrStrW (lpFirst="8E6wl_qLQCNpnO.png", lpSrch=".ocx") returned 0x0 [0081.735] StrStrW (lpFirst="8E6wl_qLQCNpnO.png", lpSrch=".LNK") returned 0x0 [0081.735] StrStrW (lpFirst="8E6wl_qLQCNpnO.png", lpSrch=".lnk") returned 0x0 [0081.735] wsprintfW (in: param_1=0x19bb40, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\") returned 67 [0081.735] lstrcpyA (in: lpString1=0x19a5a8, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0081.735] lstrcpyW (in: lpString1=0x19ab06, lpString2="8E6wl_qLQCNpnO.png" | out: lpString1="8E6wl_qLQCNpnO.png") returned="8E6wl_qLQCNpnO.png" [0081.735] lstrcpyW (in: lpString1=0x19a706, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\" [0081.735] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19a5a8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x324 [0081.735] WaitForSingleObject (hHandle=0x324, dwMilliseconds=0xffffffff) returned 0x0 [0081.790] FindNextFileW (in: hFindFile=0x2434b8, lpFindFileData=0x19a358 | out: lpFindFileData=0x19a358) returned 1 [0081.790] lstrcmpW (lpString1="d2eT4JK8.mp4", lpString2="..") returned 1 [0081.790] lstrcmpW (lpString1="d2eT4JK8.mp4", lpString2=".") returned 1 [0081.790] StrStrW (lpFirst="d2eT4JK8.mp4", lpSrch="ClopReadMe.txt") returned 0x0 [0081.790] StrStrW (lpFirst="d2eT4JK8.mp4", lpSrch="ntldr") returned 0x0 [0081.790] StrStrW (lpFirst="d2eT4JK8.mp4", lpSrch="NTLDR") returned 0x0 [0081.790] StrStrW (lpFirst="d2eT4JK8.mp4", lpSrch="boot.ini") returned 0x0 [0081.790] StrStrW (lpFirst="d2eT4JK8.mp4", lpSrch="BOOT.INI") returned 0x0 [0081.790] StrStrW (lpFirst="d2eT4JK8.mp4", lpSrch="ntuser.ini") returned 0x0 [0081.790] StrStrW (lpFirst="d2eT4JK8.mp4", lpSrch="NTUSER.INI") returned 0x0 [0081.790] StrStrW (lpFirst="d2eT4JK8.mp4", lpSrch="AUTOEXEC.BAT") returned 0x0 [0081.790] StrStrW (lpFirst="d2eT4JK8.mp4", lpSrch="autoexec.bat") returned 0x0 [0081.790] StrStrW (lpFirst="d2eT4JK8.mp4", lpSrch=".Clop") returned 0x0 [0081.790] StrStrW (lpFirst="d2eT4JK8.mp4", lpSrch="NTDETECT.COM") returned 0x0 [0081.790] StrStrW (lpFirst="d2eT4JK8.mp4", lpSrch="ntdetect.com") returned 0x0 [0081.791] StrStrW (lpFirst="d2eT4JK8.mp4", lpSrch=".dll") returned 0x0 [0081.791] StrStrW (lpFirst="d2eT4JK8.mp4", lpSrch=".DLL") returned 0x0 [0081.791] StrStrW (lpFirst="d2eT4JK8.mp4", lpSrch=".exe") returned 0x0 [0081.791] StrStrW (lpFirst="d2eT4JK8.mp4", lpSrch=".EXE") returned 0x0 [0081.791] StrStrW (lpFirst="d2eT4JK8.mp4", lpSrch=".sys") returned 0x0 [0081.791] StrStrW (lpFirst="d2eT4JK8.mp4", lpSrch=".SYS") returned 0x0 [0081.791] StrStrW (lpFirst="d2eT4JK8.mp4", lpSrch=".OCX") returned 0x0 [0081.791] StrStrW (lpFirst="d2eT4JK8.mp4", lpSrch=".ocx") returned 0x0 [0081.791] StrStrW (lpFirst="d2eT4JK8.mp4", lpSrch=".LNK") returned 0x0 [0081.791] StrStrW (lpFirst="d2eT4JK8.mp4", lpSrch=".lnk") returned 0x0 [0081.791] wsprintfW (in: param_1=0x19bb40, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\") returned 67 [0081.791] lstrcpyA (in: lpString1=0x19a5a8, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0081.791] lstrcpyW (in: lpString1=0x19ab06, lpString2="d2eT4JK8.mp4" | out: lpString1="d2eT4JK8.mp4") returned="d2eT4JK8.mp4" [0081.791] lstrcpyW (in: lpString1=0x19a706, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\" [0081.791] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19a5a8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x31c [0081.791] WaitForSingleObject (hHandle=0x31c, dwMilliseconds=0xffffffff) returned 0x0 [0081.890] FindNextFileW (in: hFindFile=0x2434b8, lpFindFileData=0x19a358 | out: lpFindFileData=0x19a358) returned 1 [0081.890] lstrcmpW (lpString1="ObwlO7BZUXGUQwB0pQ.m4a", lpString2="..") returned 1 [0081.890] lstrcmpW (lpString1="ObwlO7BZUXGUQwB0pQ.m4a", lpString2=".") returned 1 [0081.890] StrStrW (lpFirst="ObwlO7BZUXGUQwB0pQ.m4a", lpSrch="ClopReadMe.txt") returned 0x0 [0081.890] StrStrW (lpFirst="ObwlO7BZUXGUQwB0pQ.m4a", lpSrch="ntldr") returned 0x0 [0081.890] StrStrW (lpFirst="ObwlO7BZUXGUQwB0pQ.m4a", lpSrch="NTLDR") returned 0x0 [0081.890] StrStrW (lpFirst="ObwlO7BZUXGUQwB0pQ.m4a", lpSrch="boot.ini") returned 0x0 [0081.890] StrStrW (lpFirst="ObwlO7BZUXGUQwB0pQ.m4a", lpSrch="BOOT.INI") returned 0x0 [0081.890] StrStrW (lpFirst="ObwlO7BZUXGUQwB0pQ.m4a", lpSrch="ntuser.ini") returned 0x0 [0081.890] StrStrW (lpFirst="ObwlO7BZUXGUQwB0pQ.m4a", lpSrch="NTUSER.INI") returned 0x0 [0081.890] StrStrW (lpFirst="ObwlO7BZUXGUQwB0pQ.m4a", lpSrch="AUTOEXEC.BAT") returned 0x0 [0081.890] StrStrW (lpFirst="ObwlO7BZUXGUQwB0pQ.m4a", lpSrch="autoexec.bat") returned 0x0 [0081.890] StrStrW (lpFirst="ObwlO7BZUXGUQwB0pQ.m4a", lpSrch=".Clop") returned 0x0 [0081.890] StrStrW (lpFirst="ObwlO7BZUXGUQwB0pQ.m4a", lpSrch="NTDETECT.COM") returned 0x0 [0081.890] StrStrW (lpFirst="ObwlO7BZUXGUQwB0pQ.m4a", lpSrch="ntdetect.com") returned 0x0 [0081.891] StrStrW (lpFirst="ObwlO7BZUXGUQwB0pQ.m4a", lpSrch=".dll") returned 0x0 [0081.891] StrStrW (lpFirst="ObwlO7BZUXGUQwB0pQ.m4a", lpSrch=".DLL") returned 0x0 [0081.891] StrStrW (lpFirst="ObwlO7BZUXGUQwB0pQ.m4a", lpSrch=".exe") returned 0x0 [0081.891] StrStrW (lpFirst="ObwlO7BZUXGUQwB0pQ.m4a", lpSrch=".EXE") returned 0x0 [0081.891] StrStrW (lpFirst="ObwlO7BZUXGUQwB0pQ.m4a", lpSrch=".sys") returned 0x0 [0081.891] StrStrW (lpFirst="ObwlO7BZUXGUQwB0pQ.m4a", lpSrch=".SYS") returned 0x0 [0081.891] StrStrW (lpFirst="ObwlO7BZUXGUQwB0pQ.m4a", lpSrch=".OCX") returned 0x0 [0081.891] StrStrW (lpFirst="ObwlO7BZUXGUQwB0pQ.m4a", lpSrch=".ocx") returned 0x0 [0081.891] StrStrW (lpFirst="ObwlO7BZUXGUQwB0pQ.m4a", lpSrch=".LNK") returned 0x0 [0081.891] StrStrW (lpFirst="ObwlO7BZUXGUQwB0pQ.m4a", lpSrch=".lnk") returned 0x0 [0081.891] wsprintfW (in: param_1=0x19bb40, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\") returned 67 [0081.891] lstrcpyA (in: lpString1=0x19a5a8, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0081.891] lstrcpyW (in: lpString1=0x19ab06, lpString2="ObwlO7BZUXGUQwB0pQ.m4a" | out: lpString1="ObwlO7BZUXGUQwB0pQ.m4a") returned="ObwlO7BZUXGUQwB0pQ.m4a" [0081.891] lstrcpyW (in: lpString1=0x19a706, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\" [0081.891] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19a5a8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x328 [0081.891] WaitForSingleObject (hHandle=0x328, dwMilliseconds=0xffffffff) returned 0x0 [0081.961] FindNextFileW (in: hFindFile=0x2434b8, lpFindFileData=0x19a358 | out: lpFindFileData=0x19a358) returned 1 [0081.961] lstrcmpW (lpString1="UCjyyB8w66Rfl6SR.bmp", lpString2="..") returned 1 [0081.961] lstrcmpW (lpString1="UCjyyB8w66Rfl6SR.bmp", lpString2=".") returned 1 [0081.961] StrStrW (lpFirst="UCjyyB8w66Rfl6SR.bmp", lpSrch="ClopReadMe.txt") returned 0x0 [0081.961] StrStrW (lpFirst="UCjyyB8w66Rfl6SR.bmp", lpSrch="ntldr") returned 0x0 [0081.961] StrStrW (lpFirst="UCjyyB8w66Rfl6SR.bmp", lpSrch="NTLDR") returned 0x0 [0081.961] StrStrW (lpFirst="UCjyyB8w66Rfl6SR.bmp", lpSrch="boot.ini") returned 0x0 [0081.961] StrStrW (lpFirst="UCjyyB8w66Rfl6SR.bmp", lpSrch="BOOT.INI") returned 0x0 [0081.962] StrStrW (lpFirst="UCjyyB8w66Rfl6SR.bmp", lpSrch="ntuser.ini") returned 0x0 [0081.962] StrStrW (lpFirst="UCjyyB8w66Rfl6SR.bmp", lpSrch="NTUSER.INI") returned 0x0 [0081.962] StrStrW (lpFirst="UCjyyB8w66Rfl6SR.bmp", lpSrch="AUTOEXEC.BAT") returned 0x0 [0081.962] StrStrW (lpFirst="UCjyyB8w66Rfl6SR.bmp", lpSrch="autoexec.bat") returned 0x0 [0081.962] StrStrW (lpFirst="UCjyyB8w66Rfl6SR.bmp", lpSrch=".Clop") returned 0x0 [0081.962] StrStrW (lpFirst="UCjyyB8w66Rfl6SR.bmp", lpSrch="NTDETECT.COM") returned 0x0 [0081.962] StrStrW (lpFirst="UCjyyB8w66Rfl6SR.bmp", lpSrch="ntdetect.com") returned 0x0 [0081.962] StrStrW (lpFirst="UCjyyB8w66Rfl6SR.bmp", lpSrch=".dll") returned 0x0 [0081.962] StrStrW (lpFirst="UCjyyB8w66Rfl6SR.bmp", lpSrch=".DLL") returned 0x0 [0081.962] StrStrW (lpFirst="UCjyyB8w66Rfl6SR.bmp", lpSrch=".exe") returned 0x0 [0081.962] StrStrW (lpFirst="UCjyyB8w66Rfl6SR.bmp", lpSrch=".EXE") returned 0x0 [0081.962] StrStrW (lpFirst="UCjyyB8w66Rfl6SR.bmp", lpSrch=".sys") returned 0x0 [0081.962] StrStrW (lpFirst="UCjyyB8w66Rfl6SR.bmp", lpSrch=".SYS") returned 0x0 [0081.962] StrStrW (lpFirst="UCjyyB8w66Rfl6SR.bmp", lpSrch=".OCX") returned 0x0 [0081.962] StrStrW (lpFirst="UCjyyB8w66Rfl6SR.bmp", lpSrch=".ocx") returned 0x0 [0081.962] StrStrW (lpFirst="UCjyyB8w66Rfl6SR.bmp", lpSrch=".LNK") returned 0x0 [0081.962] StrStrW (lpFirst="UCjyyB8w66Rfl6SR.bmp", lpSrch=".lnk") returned 0x0 [0081.962] wsprintfW (in: param_1=0x19bb40, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\") returned 67 [0081.962] lstrcpyA (in: lpString1=0x19a5a8, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0081.962] lstrcpyW (in: lpString1=0x19ab06, lpString2="UCjyyB8w66Rfl6SR.bmp" | out: lpString1="UCjyyB8w66Rfl6SR.bmp") returned="UCjyyB8w66Rfl6SR.bmp" [0081.962] lstrcpyW (in: lpString1=0x19a706, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\" [0081.962] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19a5a8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x32c [0081.962] WaitForSingleObject (hHandle=0x32c, dwMilliseconds=0xffffffff) returned 0x0 [0082.055] FindNextFileW (in: hFindFile=0x2434b8, lpFindFileData=0x19a358 | out: lpFindFileData=0x19a358) returned 1 [0082.055] lstrcmpW (lpString1="VzugFdG5q8.avi", lpString2="..") returned 1 [0082.055] lstrcmpW (lpString1="VzugFdG5q8.avi", lpString2=".") returned 1 [0082.055] StrStrW (lpFirst="VzugFdG5q8.avi", lpSrch="ClopReadMe.txt") returned 0x0 [0082.055] StrStrW (lpFirst="VzugFdG5q8.avi", lpSrch="ntldr") returned 0x0 [0082.055] StrStrW (lpFirst="VzugFdG5q8.avi", lpSrch="NTLDR") returned 0x0 [0082.055] StrStrW (lpFirst="VzugFdG5q8.avi", lpSrch="boot.ini") returned 0x0 [0082.055] StrStrW (lpFirst="VzugFdG5q8.avi", lpSrch="BOOT.INI") returned 0x0 [0082.056] StrStrW (lpFirst="VzugFdG5q8.avi", lpSrch="ntuser.ini") returned 0x0 [0082.056] StrStrW (lpFirst="VzugFdG5q8.avi", lpSrch="NTUSER.INI") returned 0x0 [0082.056] StrStrW (lpFirst="VzugFdG5q8.avi", lpSrch="AUTOEXEC.BAT") returned 0x0 [0082.056] StrStrW (lpFirst="VzugFdG5q8.avi", lpSrch="autoexec.bat") returned 0x0 [0082.056] StrStrW (lpFirst="VzugFdG5q8.avi", lpSrch=".Clop") returned 0x0 [0082.056] StrStrW (lpFirst="VzugFdG5q8.avi", lpSrch="NTDETECT.COM") returned 0x0 [0082.056] StrStrW (lpFirst="VzugFdG5q8.avi", lpSrch="ntdetect.com") returned 0x0 [0082.056] StrStrW (lpFirst="VzugFdG5q8.avi", lpSrch=".dll") returned 0x0 [0082.056] StrStrW (lpFirst="VzugFdG5q8.avi", lpSrch=".DLL") returned 0x0 [0082.056] StrStrW (lpFirst="VzugFdG5q8.avi", lpSrch=".exe") returned 0x0 [0082.056] StrStrW (lpFirst="VzugFdG5q8.avi", lpSrch=".EXE") returned 0x0 [0082.056] StrStrW (lpFirst="VzugFdG5q8.avi", lpSrch=".sys") returned 0x0 [0082.056] StrStrW (lpFirst="VzugFdG5q8.avi", lpSrch=".SYS") returned 0x0 [0082.056] StrStrW (lpFirst="VzugFdG5q8.avi", lpSrch=".OCX") returned 0x0 [0082.056] StrStrW (lpFirst="VzugFdG5q8.avi", lpSrch=".ocx") returned 0x0 [0082.056] StrStrW (lpFirst="VzugFdG5q8.avi", lpSrch=".LNK") returned 0x0 [0082.056] StrStrW (lpFirst="VzugFdG5q8.avi", lpSrch=".lnk") returned 0x0 [0082.056] wsprintfW (in: param_1=0x19bb40, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\") returned 67 [0082.056] lstrcpyA (in: lpString1=0x19a5a8, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0082.056] lstrcpyW (in: lpString1=0x19ab06, lpString2="VzugFdG5q8.avi" | out: lpString1="VzugFdG5q8.avi") returned="VzugFdG5q8.avi" [0082.056] lstrcpyW (in: lpString1=0x19a706, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\" [0082.056] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19a5a8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c8 [0082.056] WaitForSingleObject (hHandle=0x1c8, dwMilliseconds=0xffffffff) returned 0x0 [0082.121] FindNextFileW (in: hFindFile=0x2434b8, lpFindFileData=0x19a358 | out: lpFindFileData=0x19a358) returned 0 [0082.121] FindClose (in: hFindFile=0x2434b8 | out: hFindFile=0x2434b8) returned 1 [0082.121] FindClose (in: hFindFile=0x2434b8 | out: hFindFile=0x2434b8) returned 0 [0082.121] lstrcpyW (in: lpString1=0x19b320, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd" [0082.121] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd", lpString2="\\*.*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\*.*") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\*.*" [0082.121] SetErrorMode (uMode=0x1) returned 0x1 [0082.121] wsprintfW (in: param_1=0x199f1c, param_2="%s\\ClopReadMe.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\ClopReadMe.txt") returned 81 [0082.121] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\ClopReadMe.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\emfsg8fvo9kfhe4jvd\\clopreadme.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.121] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0082.122] FindResourceW (hModule=0x400000, lpName=0xb207, lpType="SIXSIX") returned 0x418748 [0082.122] LoadResource (hModule=0x400000, hResInfo=0x418748) returned 0x418af0 [0082.122] LockResource (hResData=0x418af0) returned 0x418af0 [0082.122] SizeofResource (hModule=0x400000, hResInfo=0x418748) returned 0x5b9 [0082.122] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\ClopReadMe.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\emfsg8fvo9kfhe4jvd\\clopreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x318 [0082.122] WriteFile (in: hFile=0x318, lpBuffer=0x25afb8*, nNumberOfBytesToWrite=0x5b9, lpNumberOfBytesWritten=0x199f14, lpOverlapped=0x0 | out: lpBuffer=0x25afb8*, lpNumberOfBytesWritten=0x199f14*=0x5b9, lpOverlapped=0x0) returned 1 [0082.123] CloseHandle (hObject=0x318) returned 1 [0082.123] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\*.*", lpFindFileData=0x19a358 | out: lpFindFileData=0x19a358) returned 0x2434b8 [0082.123] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\", lpSrch="Chrome") returned 0x0 [0082.123] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\", lpSrch="Mozilla") returned 0x0 [0082.123] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\", lpSrch="Recycle.bin") returned 0x0 [0082.123] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\", lpSrch="Microsoft") returned 0x0 [0082.123] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\", lpSrch="AhnLab") returned 0x0 [0082.123] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\", lpSrch="Windows") returned 0x0 [0082.123] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\", lpSrch="All Users") returned 0x0 [0082.123] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\", lpSrch="ProgramData") returned 0x0 [0082.123] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\", lpSrch="Program Files (x86)") returned 0x0 [0082.123] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\", lpSrch="PROGRAM FILES (X86)") returned 0x0 [0082.123] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\", lpSrch="Program Files") returned 0x0 [0082.123] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\", lpSrch="PROGRAM FILES") returned 0x0 [0082.123] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0082.123] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.123] FindNextFileW (in: hFindFile=0x2434b8, lpFindFileData=0x19a358 | out: lpFindFileData=0x19a358) returned 1 [0082.123] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.123] FindNextFileW (in: hFindFile=0x2434b8, lpFindFileData=0x19a358 | out: lpFindFileData=0x19a358) returned 1 [0082.123] FindNextFileW (in: hFindFile=0x2434b8, lpFindFileData=0x19a358 | out: lpFindFileData=0x19a358) returned 1 [0082.123] FindNextFileW (in: hFindFile=0x2434b8, lpFindFileData=0x19a358 | out: lpFindFileData=0x19a358) returned 1 [0082.123] FindNextFileW (in: hFindFile=0x2434b8, lpFindFileData=0x19a358 | out: lpFindFileData=0x19a358) returned 1 [0082.123] FindNextFileW (in: hFindFile=0x2434b8, lpFindFileData=0x19a358 | out: lpFindFileData=0x19a358) returned 1 [0082.123] FindNextFileW (in: hFindFile=0x2434b8, lpFindFileData=0x19a358 | out: lpFindFileData=0x19a358) returned 1 [0082.124] FindNextFileW (in: hFindFile=0x2434b8, lpFindFileData=0x19a358 | out: lpFindFileData=0x19a358) returned 1 [0082.124] FindNextFileW (in: hFindFile=0x2434b8, lpFindFileData=0x19a358 | out: lpFindFileData=0x19a358) returned 0 [0082.124] FindClose (in: hFindFile=0x2434b8 | out: hFindFile=0x2434b8) returned 1 [0082.124] FindClose (in: hFindFile=0x2434b8 | out: hFindFile=0x2434b8) returned 0 [0082.124] FindNextFileW (in: hFindFile=0x243978, lpFindFileData=0x19bf88 | out: lpFindFileData=0x19bf88) returned 1 [0082.124] FindNextFileW (in: hFindFile=0x243978, lpFindFileData=0x19bf88 | out: lpFindFileData=0x19bf88) returned 1 [0082.124] FindNextFileW (in: hFindFile=0x243978, lpFindFileData=0x19bf88 | out: lpFindFileData=0x19bf88) returned 1 [0082.124] FindNextFileW (in: hFindFile=0x243978, lpFindFileData=0x19bf88 | out: lpFindFileData=0x19bf88) returned 1 [0082.124] FindNextFileW (in: hFindFile=0x243978, lpFindFileData=0x19bf88 | out: lpFindFileData=0x19bf88) returned 1 [0082.124] lstrcmpW (lpString1="wXmwHJbln-GpgybDik", lpString2="..") returned 1 [0082.124] lstrcmpW (lpString1="wXmwHJbln-GpgybDik", lpString2=".") returned 1 [0082.124] lstrcpyW (in: lpString1=0x19d360, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS" [0082.124] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\" [0082.124] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\", lpString2="wXmwHJbln-GpgybDik" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik" [0082.124] SetErrorMode (uMode=0x1) returned 0x1 [0082.124] lstrcpyW (in: lpString1=0x19b320, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik" [0082.124] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\" [0082.124] lstrcpyW (in: lpString1=0x19af10, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\" [0082.124] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\", lpString2="*.*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\*.*") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\*.*" [0082.124] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\*.*", lpFindFileData=0x19a358 | out: lpFindFileData=0x19a358) returned 0x2434b8 [0082.124] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\", lpSrch="Chrome") returned 0x0 [0082.124] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\", lpSrch="Mozilla") returned 0x0 [0082.124] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\", lpSrch="Recycle.bin") returned 0x0 [0082.124] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\", lpSrch="Microsoft") returned 0x0 [0082.124] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\", lpSrch="AhnLab") returned 0x0 [0082.124] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\", lpSrch="Windows") returned 0x0 [0082.124] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\", lpSrch="All Users") returned 0x0 [0082.124] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\", lpSrch="ProgramData") returned 0x0 [0082.125] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\", lpSrch="Program Files (x86)") returned 0x0 [0082.125] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\", lpSrch="PROGRAM FILES (X86)") returned 0x0 [0082.125] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\", lpSrch="Program Files") returned 0x0 [0082.125] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\", lpSrch="PROGRAM FILES") returned 0x0 [0082.125] FindNextFileW (in: hFindFile=0x2434b8, lpFindFileData=0x19a358 | out: lpFindFileData=0x19a358) returned 1 [0082.125] FindNextFileW (in: hFindFile=0x2434b8, lpFindFileData=0x19a358 | out: lpFindFileData=0x19a358) returned 1 [0082.125] FindNextFileW (in: hFindFile=0x2434b8, lpFindFileData=0x19a358 | out: lpFindFileData=0x19a358) returned 1 [0082.125] lstrcmpW (lpString1="wHBG1 KhJkOY8rUr-B.jpg", lpString2="..") returned 1 [0082.125] lstrcmpW (lpString1="wHBG1 KhJkOY8rUr-B.jpg", lpString2=".") returned 1 [0082.125] StrStrW (lpFirst="wHBG1 KhJkOY8rUr-B.jpg", lpSrch="ClopReadMe.txt") returned 0x0 [0082.125] StrStrW (lpFirst="wHBG1 KhJkOY8rUr-B.jpg", lpSrch="ntldr") returned 0x0 [0082.125] StrStrW (lpFirst="wHBG1 KhJkOY8rUr-B.jpg", lpSrch="NTLDR") returned 0x0 [0082.125] StrStrW (lpFirst="wHBG1 KhJkOY8rUr-B.jpg", lpSrch="boot.ini") returned 0x0 [0082.125] StrStrW (lpFirst="wHBG1 KhJkOY8rUr-B.jpg", lpSrch="BOOT.INI") returned 0x0 [0082.125] StrStrW (lpFirst="wHBG1 KhJkOY8rUr-B.jpg", lpSrch="ntuser.ini") returned 0x0 [0082.125] StrStrW (lpFirst="wHBG1 KhJkOY8rUr-B.jpg", lpSrch="NTUSER.INI") returned 0x0 [0082.125] StrStrW (lpFirst="wHBG1 KhJkOY8rUr-B.jpg", lpSrch="AUTOEXEC.BAT") returned 0x0 [0082.125] StrStrW (lpFirst="wHBG1 KhJkOY8rUr-B.jpg", lpSrch="autoexec.bat") returned 0x0 [0082.125] StrStrW (lpFirst="wHBG1 KhJkOY8rUr-B.jpg", lpSrch=".Clop") returned 0x0 [0082.125] StrStrW (lpFirst="wHBG1 KhJkOY8rUr-B.jpg", lpSrch="NTDETECT.COM") returned 0x0 [0082.125] StrStrW (lpFirst="wHBG1 KhJkOY8rUr-B.jpg", lpSrch="ntdetect.com") returned 0x0 [0082.125] StrStrW (lpFirst="wHBG1 KhJkOY8rUr-B.jpg", lpSrch=".dll") returned 0x0 [0082.125] StrStrW (lpFirst="wHBG1 KhJkOY8rUr-B.jpg", lpSrch=".DLL") returned 0x0 [0082.125] StrStrW (lpFirst="wHBG1 KhJkOY8rUr-B.jpg", lpSrch=".exe") returned 0x0 [0082.125] StrStrW (lpFirst="wHBG1 KhJkOY8rUr-B.jpg", lpSrch=".EXE") returned 0x0 [0082.125] StrStrW (lpFirst="wHBG1 KhJkOY8rUr-B.jpg", lpSrch=".sys") returned 0x0 [0082.125] StrStrW (lpFirst="wHBG1 KhJkOY8rUr-B.jpg", lpSrch=".SYS") returned 0x0 [0082.125] StrStrW (lpFirst="wHBG1 KhJkOY8rUr-B.jpg", lpSrch=".OCX") returned 0x0 [0082.125] StrStrW (lpFirst="wHBG1 KhJkOY8rUr-B.jpg", lpSrch=".ocx") returned 0x0 [0082.125] StrStrW (lpFirst="wHBG1 KhJkOY8rUr-B.jpg", lpSrch=".LNK") returned 0x0 [0082.125] StrStrW (lpFirst="wHBG1 KhJkOY8rUr-B.jpg", lpSrch=".lnk") returned 0x0 [0082.125] wsprintfW (in: param_1=0x19bb40, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\") returned 67 [0082.125] lstrcpyA (in: lpString1=0x19a5a8, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0082.125] lstrcpyW (in: lpString1=0x19ab06, lpString2="wHBG1 KhJkOY8rUr-B.jpg" | out: lpString1="wHBG1 KhJkOY8rUr-B.jpg") returned="wHBG1 KhJkOY8rUr-B.jpg" [0082.125] lstrcpyW (in: lpString1=0x19a706, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\" [0082.125] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19a5a8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x334 [0082.126] WaitForSingleObject (hHandle=0x334, dwMilliseconds=0xffffffff) returned 0x0 [0082.155] FindNextFileW (in: hFindFile=0x2434b8, lpFindFileData=0x19a358 | out: lpFindFileData=0x19a358) returned 0 [0082.155] FindClose (in: hFindFile=0x2434b8 | out: hFindFile=0x2434b8) returned 1 [0082.155] FindClose (in: hFindFile=0x2434b8 | out: hFindFile=0x2434b8) returned 0 [0082.155] lstrcpyW (in: lpString1=0x19b320, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik" [0082.155] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik", lpString2="\\*.*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\*.*") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\*.*" [0082.155] SetErrorMode (uMode=0x1) returned 0x1 [0082.155] wsprintfW (in: param_1=0x199f1c, param_2="%s\\ClopReadMe.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\ClopReadMe.txt") returned 81 [0082.155] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\ClopReadMe.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\wxmwhjbln-gpgybdik\\clopreadme.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.155] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0082.155] FindResourceW (hModule=0x400000, lpName=0xb207, lpType="SIXSIX") returned 0x418748 [0082.156] LoadResource (hModule=0x400000, hResInfo=0x418748) returned 0x418af0 [0082.156] LockResource (hResData=0x418af0) returned 0x418af0 [0082.156] SizeofResource (hModule=0x400000, hResInfo=0x418748) returned 0x5b9 [0082.156] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\ClopReadMe.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\wxmwhjbln-gpgybdik\\clopreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x318 [0082.156] WriteFile (in: hFile=0x318, lpBuffer=0x267b00*, nNumberOfBytesToWrite=0x5b9, lpNumberOfBytesWritten=0x199f14, lpOverlapped=0x0 | out: lpBuffer=0x267b00*, lpNumberOfBytesWritten=0x199f14*=0x5b9, lpOverlapped=0x0) returned 1 [0082.157] CloseHandle (hObject=0x318) returned 1 [0082.157] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\*.*", lpFindFileData=0x19a358 | out: lpFindFileData=0x19a358) returned 0x2434b8 [0082.157] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\", lpSrch="Chrome") returned 0x0 [0082.157] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\", lpSrch="Mozilla") returned 0x0 [0082.157] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\", lpSrch="Recycle.bin") returned 0x0 [0082.157] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\", lpSrch="Microsoft") returned 0x0 [0082.157] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\", lpSrch="AhnLab") returned 0x0 [0082.157] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\", lpSrch="Windows") returned 0x0 [0082.157] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\", lpSrch="All Users") returned 0x0 [0082.157] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\", lpSrch="ProgramData") returned 0x0 [0082.157] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\", lpSrch="Program Files (x86)") returned 0x0 [0082.157] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\", lpSrch="PROGRAM FILES (X86)") returned 0x0 [0082.157] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\", lpSrch="Program Files") returned 0x0 [0082.157] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\", lpSrch="PROGRAM FILES") returned 0x0 [0082.157] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0082.157] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.157] FindNextFileW (in: hFindFile=0x2434b8, lpFindFileData=0x19a358 | out: lpFindFileData=0x19a358) returned 1 [0082.157] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.157] FindNextFileW (in: hFindFile=0x2434b8, lpFindFileData=0x19a358 | out: lpFindFileData=0x19a358) returned 1 [0082.157] lstrcmpW (lpString1="5-VS 8B3", lpString2="..") returned 1 [0082.157] lstrcmpW (lpString1="5-VS 8B3", lpString2=".") returned 1 [0082.157] lstrcpyW (in: lpString1=0x19b730, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik" [0082.158] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\" [0082.158] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\", lpString2="5-VS 8B3" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3" [0082.158] SetErrorMode (uMode=0x1) returned 0x1 [0082.158] lstrcpyW (in: lpString1=0x1996f0, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3" [0082.158] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\" [0082.158] lstrcpyW (in: lpString1=0x1992e0, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\" [0082.158] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\", lpString2="*.*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\*.*") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\*.*" [0082.158] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\*.*", lpFindFileData=0x198728 | out: lpFindFileData=0x198728) returned 0x243138 [0082.158] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\", lpSrch="Chrome") returned 0x0 [0082.158] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\", lpSrch="Mozilla") returned 0x0 [0082.158] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\", lpSrch="Recycle.bin") returned 0x0 [0082.158] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\", lpSrch="Microsoft") returned 0x0 [0082.158] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\", lpSrch="AhnLab") returned 0x0 [0082.158] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\", lpSrch="Windows") returned 0x0 [0082.158] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\", lpSrch="All Users") returned 0x0 [0082.158] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\", lpSrch="ProgramData") returned 0x0 [0082.158] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\", lpSrch="Program Files (x86)") returned 0x0 [0082.158] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\", lpSrch="PROGRAM FILES (X86)") returned 0x0 [0082.158] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\", lpSrch="Program Files") returned 0x0 [0082.158] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\", lpSrch="PROGRAM FILES") returned 0x0 [0082.158] FindNextFileW (in: hFindFile=0x243138, lpFindFileData=0x198728 | out: lpFindFileData=0x198728) returned 1 [0082.158] FindNextFileW (in: hFindFile=0x243138, lpFindFileData=0x198728 | out: lpFindFileData=0x198728) returned 1 [0082.158] lstrcmpW (lpString1="1GuphSZyRIMnQ5w0EQ.avi", lpString2="..") returned 1 [0082.158] lstrcmpW (lpString1="1GuphSZyRIMnQ5w0EQ.avi", lpString2=".") returned 1 [0082.158] StrStrW (lpFirst="1GuphSZyRIMnQ5w0EQ.avi", lpSrch="ClopReadMe.txt") returned 0x0 [0082.158] StrStrW (lpFirst="1GuphSZyRIMnQ5w0EQ.avi", lpSrch="ntldr") returned 0x0 [0082.158] StrStrW (lpFirst="1GuphSZyRIMnQ5w0EQ.avi", lpSrch="NTLDR") returned 0x0 [0082.158] StrStrW (lpFirst="1GuphSZyRIMnQ5w0EQ.avi", lpSrch="boot.ini") returned 0x0 [0082.158] StrStrW (lpFirst="1GuphSZyRIMnQ5w0EQ.avi", lpSrch="BOOT.INI") returned 0x0 [0082.158] StrStrW (lpFirst="1GuphSZyRIMnQ5w0EQ.avi", lpSrch="ntuser.ini") returned 0x0 [0082.158] StrStrW (lpFirst="1GuphSZyRIMnQ5w0EQ.avi", lpSrch="NTUSER.INI") returned 0x0 [0082.158] StrStrW (lpFirst="1GuphSZyRIMnQ5w0EQ.avi", lpSrch="AUTOEXEC.BAT") returned 0x0 [0082.158] StrStrW (lpFirst="1GuphSZyRIMnQ5w0EQ.avi", lpSrch="autoexec.bat") returned 0x0 [0082.159] StrStrW (lpFirst="1GuphSZyRIMnQ5w0EQ.avi", lpSrch=".Clop") returned 0x0 [0082.159] StrStrW (lpFirst="1GuphSZyRIMnQ5w0EQ.avi", lpSrch="NTDETECT.COM") returned 0x0 [0082.159] StrStrW (lpFirst="1GuphSZyRIMnQ5w0EQ.avi", lpSrch="ntdetect.com") returned 0x0 [0082.159] StrStrW (lpFirst="1GuphSZyRIMnQ5w0EQ.avi", lpSrch=".dll") returned 0x0 [0082.159] StrStrW (lpFirst="1GuphSZyRIMnQ5w0EQ.avi", lpSrch=".DLL") returned 0x0 [0082.159] StrStrW (lpFirst="1GuphSZyRIMnQ5w0EQ.avi", lpSrch=".exe") returned 0x0 [0082.159] StrStrW (lpFirst="1GuphSZyRIMnQ5w0EQ.avi", lpSrch=".EXE") returned 0x0 [0082.159] StrStrW (lpFirst="1GuphSZyRIMnQ5w0EQ.avi", lpSrch=".sys") returned 0x0 [0082.159] StrStrW (lpFirst="1GuphSZyRIMnQ5w0EQ.avi", lpSrch=".SYS") returned 0x0 [0082.159] StrStrW (lpFirst="1GuphSZyRIMnQ5w0EQ.avi", lpSrch=".OCX") returned 0x0 [0082.159] StrStrW (lpFirst="1GuphSZyRIMnQ5w0EQ.avi", lpSrch=".ocx") returned 0x0 [0082.159] StrStrW (lpFirst="1GuphSZyRIMnQ5w0EQ.avi", lpSrch=".LNK") returned 0x0 [0082.159] StrStrW (lpFirst="1GuphSZyRIMnQ5w0EQ.avi", lpSrch=".lnk") returned 0x0 [0082.159] wsprintfW (in: param_1=0x199f10, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\") returned 76 [0082.159] lstrcpyA (in: lpString1=0x198978, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0082.159] lstrcpyW (in: lpString1=0x198ed6, lpString2="1GuphSZyRIMnQ5w0EQ.avi" | out: lpString1="1GuphSZyRIMnQ5w0EQ.avi") returned="1GuphSZyRIMnQ5w0EQ.avi" [0082.159] lstrcpyW (in: lpString1=0x198ad6, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\" [0082.159] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x198978, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x338 [0082.159] WaitForSingleObject (hHandle=0x338, dwMilliseconds=0xffffffff) returned 0x0 [0082.266] FindNextFileW (in: hFindFile=0x243138, lpFindFileData=0x198728 | out: lpFindFileData=0x198728) returned 1 [0082.266] lstrcmpW (lpString1="H4KR8e.gif", lpString2="..") returned 1 [0082.266] lstrcmpW (lpString1="H4KR8e.gif", lpString2=".") returned 1 [0082.266] StrStrW (lpFirst="H4KR8e.gif", lpSrch="ClopReadMe.txt") returned 0x0 [0082.266] StrStrW (lpFirst="H4KR8e.gif", lpSrch="ntldr") returned 0x0 [0082.266] StrStrW (lpFirst="H4KR8e.gif", lpSrch="NTLDR") returned 0x0 [0082.266] StrStrW (lpFirst="H4KR8e.gif", lpSrch="boot.ini") returned 0x0 [0082.266] StrStrW (lpFirst="H4KR8e.gif", lpSrch="BOOT.INI") returned 0x0 [0082.266] StrStrW (lpFirst="H4KR8e.gif", lpSrch="ntuser.ini") returned 0x0 [0082.266] StrStrW (lpFirst="H4KR8e.gif", lpSrch="NTUSER.INI") returned 0x0 [0082.266] StrStrW (lpFirst="H4KR8e.gif", lpSrch="AUTOEXEC.BAT") returned 0x0 [0082.266] StrStrW (lpFirst="H4KR8e.gif", lpSrch="autoexec.bat") returned 0x0 [0082.266] StrStrW (lpFirst="H4KR8e.gif", lpSrch=".Clop") returned 0x0 [0082.266] StrStrW (lpFirst="H4KR8e.gif", lpSrch="NTDETECT.COM") returned 0x0 [0082.266] StrStrW (lpFirst="H4KR8e.gif", lpSrch="ntdetect.com") returned 0x0 [0082.266] StrStrW (lpFirst="H4KR8e.gif", lpSrch=".dll") returned 0x0 [0082.266] StrStrW (lpFirst="H4KR8e.gif", lpSrch=".DLL") returned 0x0 [0082.266] StrStrW (lpFirst="H4KR8e.gif", lpSrch=".exe") returned 0x0 [0082.266] StrStrW (lpFirst="H4KR8e.gif", lpSrch=".EXE") returned 0x0 [0082.266] StrStrW (lpFirst="H4KR8e.gif", lpSrch=".sys") returned 0x0 [0082.266] StrStrW (lpFirst="H4KR8e.gif", lpSrch=".SYS") returned 0x0 [0082.266] StrStrW (lpFirst="H4KR8e.gif", lpSrch=".OCX") returned 0x0 [0082.266] StrStrW (lpFirst="H4KR8e.gif", lpSrch=".ocx") returned 0x0 [0082.266] StrStrW (lpFirst="H4KR8e.gif", lpSrch=".LNK") returned 0x0 [0082.266] StrStrW (lpFirst="H4KR8e.gif", lpSrch=".lnk") returned 0x0 [0082.266] wsprintfW (in: param_1=0x199f10, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\") returned 76 [0082.266] lstrcpyA (in: lpString1=0x198978, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0082.266] lstrcpyW (in: lpString1=0x198ed6, lpString2="H4KR8e.gif" | out: lpString1="H4KR8e.gif") returned="H4KR8e.gif" [0082.266] lstrcpyW (in: lpString1=0x198ad6, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\" [0082.266] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x198978, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x33c [0082.267] WaitForSingleObject (hHandle=0x33c, dwMilliseconds=0xffffffff) returned 0x0 [0082.294] FindNextFileW (in: hFindFile=0x243138, lpFindFileData=0x198728 | out: lpFindFileData=0x198728) returned 1 [0082.294] lstrcmpW (lpString1="xMyQQvGf.doc", lpString2="..") returned 1 [0082.294] lstrcmpW (lpString1="xMyQQvGf.doc", lpString2=".") returned 1 [0082.294] StrStrW (lpFirst="xMyQQvGf.doc", lpSrch="ClopReadMe.txt") returned 0x0 [0082.294] StrStrW (lpFirst="xMyQQvGf.doc", lpSrch="ntldr") returned 0x0 [0082.294] StrStrW (lpFirst="xMyQQvGf.doc", lpSrch="NTLDR") returned 0x0 [0082.294] StrStrW (lpFirst="xMyQQvGf.doc", lpSrch="boot.ini") returned 0x0 [0082.294] StrStrW (lpFirst="xMyQQvGf.doc", lpSrch="BOOT.INI") returned 0x0 [0082.294] StrStrW (lpFirst="xMyQQvGf.doc", lpSrch="ntuser.ini") returned 0x0 [0082.294] StrStrW (lpFirst="xMyQQvGf.doc", lpSrch="NTUSER.INI") returned 0x0 [0082.294] StrStrW (lpFirst="xMyQQvGf.doc", lpSrch="AUTOEXEC.BAT") returned 0x0 [0082.294] StrStrW (lpFirst="xMyQQvGf.doc", lpSrch="autoexec.bat") returned 0x0 [0082.294] StrStrW (lpFirst="xMyQQvGf.doc", lpSrch=".Clop") returned 0x0 [0082.294] StrStrW (lpFirst="xMyQQvGf.doc", lpSrch="NTDETECT.COM") returned 0x0 [0082.294] StrStrW (lpFirst="xMyQQvGf.doc", lpSrch="ntdetect.com") returned 0x0 [0082.294] StrStrW (lpFirst="xMyQQvGf.doc", lpSrch=".dll") returned 0x0 [0082.294] StrStrW (lpFirst="xMyQQvGf.doc", lpSrch=".DLL") returned 0x0 [0082.294] StrStrW (lpFirst="xMyQQvGf.doc", lpSrch=".exe") returned 0x0 [0082.294] StrStrW (lpFirst="xMyQQvGf.doc", lpSrch=".EXE") returned 0x0 [0082.294] StrStrW (lpFirst="xMyQQvGf.doc", lpSrch=".sys") returned 0x0 [0082.294] StrStrW (lpFirst="xMyQQvGf.doc", lpSrch=".SYS") returned 0x0 [0082.294] StrStrW (lpFirst="xMyQQvGf.doc", lpSrch=".OCX") returned 0x0 [0082.294] StrStrW (lpFirst="xMyQQvGf.doc", lpSrch=".ocx") returned 0x0 [0082.294] StrStrW (lpFirst="xMyQQvGf.doc", lpSrch=".LNK") returned 0x0 [0082.295] StrStrW (lpFirst="xMyQQvGf.doc", lpSrch=".lnk") returned 0x0 [0082.295] wsprintfW (in: param_1=0x199f10, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\") returned 76 [0082.295] lstrcpyA (in: lpString1=0x198978, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0082.295] lstrcpyW (in: lpString1=0x198ed6, lpString2="xMyQQvGf.doc" | out: lpString1="xMyQQvGf.doc") returned="xMyQQvGf.doc" [0082.295] lstrcpyW (in: lpString1=0x198ad6, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\" [0082.295] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x198978, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x330 [0082.295] WaitForSingleObject (hHandle=0x330, dwMilliseconds=0xffffffff) returned 0x0 [0082.678] FindNextFileW (in: hFindFile=0x243138, lpFindFileData=0x198728 | out: lpFindFileData=0x198728) returned 0 [0082.678] FindClose (in: hFindFile=0x243138 | out: hFindFile=0x243138) returned 1 [0082.678] FindClose (in: hFindFile=0x243138 | out: hFindFile=0x243138) returned 0 [0082.678] lstrcpyW (in: lpString1=0x1996f0, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3" [0082.678] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3", lpString2="\\*.*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\*.*") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\*.*" [0082.678] SetErrorMode (uMode=0x1) returned 0x1 [0082.678] wsprintfW (in: param_1=0x1982ec, param_2="%s\\ClopReadMe.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\ClopReadMe.txt") returned 90 [0082.678] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\ClopReadMe.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\wxmwhjbln-gpgybdik\\5-vs 8b3\\clopreadme.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.678] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0082.678] FindResourceW (hModule=0x400000, lpName=0xb207, lpType="SIXSIX") returned 0x418748 [0082.678] LoadResource (hModule=0x400000, hResInfo=0x418748) returned 0x418af0 [0082.678] LockResource (hResData=0x418af0) returned 0x418af0 [0082.678] SizeofResource (hModule=0x400000, hResInfo=0x418748) returned 0x5b9 [0082.679] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\ClopReadMe.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\wxmwhjbln-gpgybdik\\5-vs 8b3\\clopreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0082.679] WriteFile (in: hFile=0x1cc, lpBuffer=0x267b00*, nNumberOfBytesToWrite=0x5b9, lpNumberOfBytesWritten=0x1982e4, lpOverlapped=0x0 | out: lpBuffer=0x267b00*, lpNumberOfBytesWritten=0x1982e4*=0x5b9, lpOverlapped=0x0) returned 1 [0082.680] CloseHandle (hObject=0x1cc) returned 1 [0082.680] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\*.*", lpFindFileData=0x198728 | out: lpFindFileData=0x198728) returned 0x243238 [0082.680] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\", lpSrch="Chrome") returned 0x0 [0082.680] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\", lpSrch="Mozilla") returned 0x0 [0082.680] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\", lpSrch="Recycle.bin") returned 0x0 [0082.680] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\", lpSrch="Microsoft") returned 0x0 [0082.680] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\", lpSrch="AhnLab") returned 0x0 [0082.680] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\", lpSrch="Windows") returned 0x0 [0082.680] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\", lpSrch="All Users") returned 0x0 [0082.680] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\", lpSrch="ProgramData") returned 0x0 [0082.680] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\", lpSrch="Program Files (x86)") returned 0x0 [0082.680] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\", lpSrch="PROGRAM FILES (X86)") returned 0x0 [0082.680] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\", lpSrch="Program Files") returned 0x0 [0082.680] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\", lpSrch="PROGRAM FILES") returned 0x0 [0082.680] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0082.680] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.680] FindNextFileW (in: hFindFile=0x243238, lpFindFileData=0x198728 | out: lpFindFileData=0x198728) returned 1 [0082.680] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.680] FindNextFileW (in: hFindFile=0x243238, lpFindFileData=0x198728 | out: lpFindFileData=0x198728) returned 1 [0082.680] FindNextFileW (in: hFindFile=0x243238, lpFindFileData=0x198728 | out: lpFindFileData=0x198728) returned 1 [0082.680] FindNextFileW (in: hFindFile=0x243238, lpFindFileData=0x198728 | out: lpFindFileData=0x198728) returned 1 [0082.680] FindNextFileW (in: hFindFile=0x243238, lpFindFileData=0x198728 | out: lpFindFileData=0x198728) returned 1 [0082.680] FindNextFileW (in: hFindFile=0x243238, lpFindFileData=0x198728 | out: lpFindFileData=0x198728) returned 0 [0082.680] FindClose (in: hFindFile=0x243238 | out: hFindFile=0x243238) returned 1 [0082.681] FindClose (in: hFindFile=0x243238 | out: hFindFile=0x243238) returned 0 [0082.681] FindNextFileW (in: hFindFile=0x2434b8, lpFindFileData=0x19a358 | out: lpFindFileData=0x19a358) returned 1 [0082.681] FindNextFileW (in: hFindFile=0x2434b8, lpFindFileData=0x19a358 | out: lpFindFileData=0x19a358) returned 1 [0082.681] FindNextFileW (in: hFindFile=0x2434b8, lpFindFileData=0x19a358 | out: lpFindFileData=0x19a358) returned 0 [0082.681] FindClose (in: hFindFile=0x2434b8 | out: hFindFile=0x2434b8) returned 1 [0082.681] FindClose (in: hFindFile=0x2434b8 | out: hFindFile=0x2434b8) returned 0 [0082.681] FindNextFileW (in: hFindFile=0x243978, lpFindFileData=0x19bf88 | out: lpFindFileData=0x19bf88) returned 0 [0082.681] FindClose (in: hFindFile=0x243978 | out: hFindFile=0x243978) returned 1 [0082.681] FindClose (in: hFindFile=0x243978 | out: hFindFile=0x243978) returned 0 [0082.681] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0082.681] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0082.681] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0082.681] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0082.681] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0082.681] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0082.681] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0082.681] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0082.681] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0082.681] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0082.681] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0082.681] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0082.681] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0082.681] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0082.681] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0082.681] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0082.682] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0082.682] lstrcmpW (lpString1="RLLU ZUe1iZ8", lpString2="..") returned 1 [0082.682] lstrcmpW (lpString1="RLLU ZUe1iZ8", lpString2=".") returned 1 [0082.682] lstrcpyW (in: lpString1=0x19ef90, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop" [0082.682] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0082.682] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="RLLU ZUe1iZ8" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8" [0082.682] SetErrorMode (uMode=0x1) returned 0x1 [0082.682] lstrcpyW (in: lpString1=0x19cf50, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8" [0082.682] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\" [0082.682] lstrcpyW (in: lpString1=0x19cb40, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\" [0082.682] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\", lpString2="*.*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\*.*") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\*.*" [0082.682] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\*.*", lpFindFileData=0x19bf88 | out: lpFindFileData=0x19bf88) returned 0x2434b8 [0082.682] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\", lpSrch="Chrome") returned 0x0 [0082.682] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\", lpSrch="Mozilla") returned 0x0 [0082.682] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\", lpSrch="Recycle.bin") returned 0x0 [0082.682] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\", lpSrch="Microsoft") returned 0x0 [0082.682] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\", lpSrch="AhnLab") returned 0x0 [0082.682] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\", lpSrch="Windows") returned 0x0 [0082.682] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\", lpSrch="All Users") returned 0x0 [0082.682] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\", lpSrch="ProgramData") returned 0x0 [0082.682] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\", lpSrch="Program Files (x86)") returned 0x0 [0082.682] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\", lpSrch="PROGRAM FILES (X86)") returned 0x0 [0082.682] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\", lpSrch="Program Files") returned 0x0 [0082.682] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\", lpSrch="PROGRAM FILES") returned 0x0 [0082.682] FindNextFileW (in: hFindFile=0x2434b8, lpFindFileData=0x19bf88 | out: lpFindFileData=0x19bf88) returned 1 [0082.682] FindNextFileW (in: hFindFile=0x2434b8, lpFindFileData=0x19bf88 | out: lpFindFileData=0x19bf88) returned 1 [0082.682] lstrcmpW (lpString1="cBP N0kdCH8mn.mp3", lpString2="..") returned 1 [0082.682] lstrcmpW (lpString1="cBP N0kdCH8mn.mp3", lpString2=".") returned 1 [0082.682] StrStrW (lpFirst="cBP N0kdCH8mn.mp3", lpSrch="ClopReadMe.txt") returned 0x0 [0082.682] StrStrW (lpFirst="cBP N0kdCH8mn.mp3", lpSrch="ntldr") returned 0x0 [0082.682] StrStrW (lpFirst="cBP N0kdCH8mn.mp3", lpSrch="NTLDR") returned 0x0 [0082.682] StrStrW (lpFirst="cBP N0kdCH8mn.mp3", lpSrch="boot.ini") returned 0x0 [0082.682] StrStrW (lpFirst="cBP N0kdCH8mn.mp3", lpSrch="BOOT.INI") returned 0x0 [0082.682] StrStrW (lpFirst="cBP N0kdCH8mn.mp3", lpSrch="ntuser.ini") returned 0x0 [0082.682] StrStrW (lpFirst="cBP N0kdCH8mn.mp3", lpSrch="NTUSER.INI") returned 0x0 [0082.682] StrStrW (lpFirst="cBP N0kdCH8mn.mp3", lpSrch="AUTOEXEC.BAT") returned 0x0 [0082.683] StrStrW (lpFirst="cBP N0kdCH8mn.mp3", lpSrch="autoexec.bat") returned 0x0 [0082.683] StrStrW (lpFirst="cBP N0kdCH8mn.mp3", lpSrch=".Clop") returned 0x0 [0082.683] StrStrW (lpFirst="cBP N0kdCH8mn.mp3", lpSrch="NTDETECT.COM") returned 0x0 [0082.683] StrStrW (lpFirst="cBP N0kdCH8mn.mp3", lpSrch="ntdetect.com") returned 0x0 [0082.683] StrStrW (lpFirst="cBP N0kdCH8mn.mp3", lpSrch=".dll") returned 0x0 [0082.683] StrStrW (lpFirst="cBP N0kdCH8mn.mp3", lpSrch=".DLL") returned 0x0 [0082.683] StrStrW (lpFirst="cBP N0kdCH8mn.mp3", lpSrch=".exe") returned 0x0 [0082.683] StrStrW (lpFirst="cBP N0kdCH8mn.mp3", lpSrch=".EXE") returned 0x0 [0082.683] StrStrW (lpFirst="cBP N0kdCH8mn.mp3", lpSrch=".sys") returned 0x0 [0082.683] StrStrW (lpFirst="cBP N0kdCH8mn.mp3", lpSrch=".SYS") returned 0x0 [0082.683] StrStrW (lpFirst="cBP N0kdCH8mn.mp3", lpSrch=".OCX") returned 0x0 [0082.683] StrStrW (lpFirst="cBP N0kdCH8mn.mp3", lpSrch=".ocx") returned 0x0 [0082.683] StrStrW (lpFirst="cBP N0kdCH8mn.mp3", lpSrch=".LNK") returned 0x0 [0082.683] StrStrW (lpFirst="cBP N0kdCH8mn.mp3", lpSrch=".lnk") returned 0x0 [0082.683] wsprintfW (in: param_1=0x19d770, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\") returned 44 [0082.683] lstrcpyA (in: lpString1=0x19c1d8, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0082.683] lstrcpyW (in: lpString1=0x19c736, lpString2="cBP N0kdCH8mn.mp3" | out: lpString1="cBP N0kdCH8mn.mp3") returned="cBP N0kdCH8mn.mp3" [0082.683] lstrcpyW (in: lpString1=0x19c336, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\" [0082.683] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19c1d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x318 [0082.683] WaitForSingleObject (hHandle=0x318, dwMilliseconds=0xffffffff) returned 0x0 [0082.967] FindNextFileW (in: hFindFile=0x2434b8, lpFindFileData=0x19bf88 | out: lpFindFileData=0x19bf88) returned 1 [0082.967] lstrcmpW (lpString1="vIuuzBVEyKDY.mkv", lpString2="..") returned 1 [0082.967] lstrcmpW (lpString1="vIuuzBVEyKDY.mkv", lpString2=".") returned 1 [0082.967] StrStrW (lpFirst="vIuuzBVEyKDY.mkv", lpSrch="ClopReadMe.txt") returned 0x0 [0082.967] StrStrW (lpFirst="vIuuzBVEyKDY.mkv", lpSrch="ntldr") returned 0x0 [0082.967] StrStrW (lpFirst="vIuuzBVEyKDY.mkv", lpSrch="NTLDR") returned 0x0 [0082.967] StrStrW (lpFirst="vIuuzBVEyKDY.mkv", lpSrch="boot.ini") returned 0x0 [0082.967] StrStrW (lpFirst="vIuuzBVEyKDY.mkv", lpSrch="BOOT.INI") returned 0x0 [0082.967] StrStrW (lpFirst="vIuuzBVEyKDY.mkv", lpSrch="ntuser.ini") returned 0x0 [0082.967] StrStrW (lpFirst="vIuuzBVEyKDY.mkv", lpSrch="NTUSER.INI") returned 0x0 [0082.967] StrStrW (lpFirst="vIuuzBVEyKDY.mkv", lpSrch="AUTOEXEC.BAT") returned 0x0 [0082.967] StrStrW (lpFirst="vIuuzBVEyKDY.mkv", lpSrch="autoexec.bat") returned 0x0 [0082.967] StrStrW (lpFirst="vIuuzBVEyKDY.mkv", lpSrch=".Clop") returned 0x0 [0082.967] StrStrW (lpFirst="vIuuzBVEyKDY.mkv", lpSrch="NTDETECT.COM") returned 0x0 [0082.967] StrStrW (lpFirst="vIuuzBVEyKDY.mkv", lpSrch="ntdetect.com") returned 0x0 [0082.967] StrStrW (lpFirst="vIuuzBVEyKDY.mkv", lpSrch=".dll") returned 0x0 [0082.967] StrStrW (lpFirst="vIuuzBVEyKDY.mkv", lpSrch=".DLL") returned 0x0 [0082.967] StrStrW (lpFirst="vIuuzBVEyKDY.mkv", lpSrch=".exe") returned 0x0 [0082.967] StrStrW (lpFirst="vIuuzBVEyKDY.mkv", lpSrch=".EXE") returned 0x0 [0082.967] StrStrW (lpFirst="vIuuzBVEyKDY.mkv", lpSrch=".sys") returned 0x0 [0082.967] StrStrW (lpFirst="vIuuzBVEyKDY.mkv", lpSrch=".SYS") returned 0x0 [0082.967] StrStrW (lpFirst="vIuuzBVEyKDY.mkv", lpSrch=".OCX") returned 0x0 [0082.967] StrStrW (lpFirst="vIuuzBVEyKDY.mkv", lpSrch=".ocx") returned 0x0 [0082.968] StrStrW (lpFirst="vIuuzBVEyKDY.mkv", lpSrch=".LNK") returned 0x0 [0082.968] StrStrW (lpFirst="vIuuzBVEyKDY.mkv", lpSrch=".lnk") returned 0x0 [0082.968] wsprintfW (in: param_1=0x19d770, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\") returned 44 [0082.968] lstrcpyA (in: lpString1=0x19c1d8, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0082.968] lstrcpyW (in: lpString1=0x19c736, lpString2="vIuuzBVEyKDY.mkv" | out: lpString1="vIuuzBVEyKDY.mkv") returned="vIuuzBVEyKDY.mkv" [0082.968] lstrcpyW (in: lpString1=0x19c336, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\" [0082.968] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19c1d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x340 [0082.968] WaitForSingleObject (hHandle=0x340, dwMilliseconds=0xffffffff) returned 0x0 [0083.057] FindNextFileW (in: hFindFile=0x2434b8, lpFindFileData=0x19bf88 | out: lpFindFileData=0x19bf88) returned 1 [0083.057] lstrcmpW (lpString1="YxwGk89V20MALzff.bmp", lpString2="..") returned 1 [0083.057] lstrcmpW (lpString1="YxwGk89V20MALzff.bmp", lpString2=".") returned 1 [0083.057] StrStrW (lpFirst="YxwGk89V20MALzff.bmp", lpSrch="ClopReadMe.txt") returned 0x0 [0083.057] StrStrW (lpFirst="YxwGk89V20MALzff.bmp", lpSrch="ntldr") returned 0x0 [0083.057] StrStrW (lpFirst="YxwGk89V20MALzff.bmp", lpSrch="NTLDR") returned 0x0 [0083.057] StrStrW (lpFirst="YxwGk89V20MALzff.bmp", lpSrch="boot.ini") returned 0x0 [0083.057] StrStrW (lpFirst="YxwGk89V20MALzff.bmp", lpSrch="BOOT.INI") returned 0x0 [0083.057] StrStrW (lpFirst="YxwGk89V20MALzff.bmp", lpSrch="ntuser.ini") returned 0x0 [0083.057] StrStrW (lpFirst="YxwGk89V20MALzff.bmp", lpSrch="NTUSER.INI") returned 0x0 [0083.057] StrStrW (lpFirst="YxwGk89V20MALzff.bmp", lpSrch="AUTOEXEC.BAT") returned 0x0 [0083.057] StrStrW (lpFirst="YxwGk89V20MALzff.bmp", lpSrch="autoexec.bat") returned 0x0 [0083.057] StrStrW (lpFirst="YxwGk89V20MALzff.bmp", lpSrch=".Clop") returned 0x0 [0083.057] StrStrW (lpFirst="YxwGk89V20MALzff.bmp", lpSrch="NTDETECT.COM") returned 0x0 [0083.057] StrStrW (lpFirst="YxwGk89V20MALzff.bmp", lpSrch="ntdetect.com") returned 0x0 [0083.057] StrStrW (lpFirst="YxwGk89V20MALzff.bmp", lpSrch=".dll") returned 0x0 [0083.057] StrStrW (lpFirst="YxwGk89V20MALzff.bmp", lpSrch=".DLL") returned 0x0 [0083.057] StrStrW (lpFirst="YxwGk89V20MALzff.bmp", lpSrch=".exe") returned 0x0 [0083.057] StrStrW (lpFirst="YxwGk89V20MALzff.bmp", lpSrch=".EXE") returned 0x0 [0083.057] StrStrW (lpFirst="YxwGk89V20MALzff.bmp", lpSrch=".sys") returned 0x0 [0083.057] StrStrW (lpFirst="YxwGk89V20MALzff.bmp", lpSrch=".SYS") returned 0x0 [0083.057] StrStrW (lpFirst="YxwGk89V20MALzff.bmp", lpSrch=".OCX") returned 0x0 [0083.058] StrStrW (lpFirst="YxwGk89V20MALzff.bmp", lpSrch=".ocx") returned 0x0 [0083.058] StrStrW (lpFirst="YxwGk89V20MALzff.bmp", lpSrch=".LNK") returned 0x0 [0083.058] StrStrW (lpFirst="YxwGk89V20MALzff.bmp", lpSrch=".lnk") returned 0x0 [0083.058] wsprintfW (in: param_1=0x19d770, param_2="%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\") returned 44 [0083.058] lstrcpyA (in: lpString1=0x19c1d8, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0083.058] lstrcpyW (in: lpString1=0x19c736, lpString2="YxwGk89V20MALzff.bmp" | out: lpString1="YxwGk89V20MALzff.bmp") returned="YxwGk89V20MALzff.bmp" [0083.058] lstrcpyW (in: lpString1=0x19c336, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\" [0083.058] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40c920, lpParameter=0x19c1d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1cc [0083.059] WaitForSingleObject (hHandle=0x1cc, dwMilliseconds=0xffffffff) returned 0x0 [0083.126] FindNextFileW (in: hFindFile=0x2434b8, lpFindFileData=0x19bf88 | out: lpFindFileData=0x19bf88) returned 0 [0083.126] FindClose (in: hFindFile=0x2434b8 | out: hFindFile=0x2434b8) returned 1 [0083.126] FindClose (in: hFindFile=0x2434b8 | out: hFindFile=0x2434b8) returned 0 [0083.126] lstrcpyW (in: lpString1=0x19cf50, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8" [0083.126] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8", lpString2="\\*.*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\*.*") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\*.*" [0083.126] SetErrorMode (uMode=0x1) returned 0x1 [0083.126] wsprintfW (in: param_1=0x19bb4c, param_2="%s\\ClopReadMe.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\ClopReadMe.txt") returned 58 [0083.126] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\ClopReadMe.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\rllu zue1iz8\\clopreadme.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0083.127] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0083.127] FindResourceW (hModule=0x400000, lpName=0xb207, lpType="SIXSIX") returned 0x418748 [0083.127] LoadResource (hModule=0x400000, hResInfo=0x418748) returned 0x418af0 [0083.127] LockResource (hResData=0x418af0) returned 0x418af0 [0083.127] SizeofResource (hModule=0x400000, hResInfo=0x418748) returned 0x5b9 [0083.127] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\ClopReadMe.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\rllu zue1iz8\\clopreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2fc [0083.127] WriteFile (in: hFile=0x2fc, lpBuffer=0x267b00*, nNumberOfBytesToWrite=0x5b9, lpNumberOfBytesWritten=0x19bb44, lpOverlapped=0x0 | out: lpBuffer=0x267b00*, lpNumberOfBytesWritten=0x19bb44*=0x5b9, lpOverlapped=0x0) returned 1 [0083.128] CloseHandle (hObject=0x2fc) returned 1 [0083.128] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\*.*", lpFindFileData=0x19bf88 | out: lpFindFileData=0x19bf88) returned 0x243978 [0083.128] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\", lpSrch="Chrome") returned 0x0 [0083.128] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\", lpSrch="Mozilla") returned 0x0 [0083.128] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\", lpSrch="Recycle.bin") returned 0x0 [0083.128] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\", lpSrch="Microsoft") returned 0x0 [0083.128] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\", lpSrch="AhnLab") returned 0x0 [0083.128] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\", lpSrch="Windows") returned 0x0 [0083.128] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\", lpSrch="All Users") returned 0x0 [0083.128] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\", lpSrch="ProgramData") returned 0x0 [0083.128] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\", lpSrch="Program Files (x86)") returned 0x0 [0083.128] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\", lpSrch="PROGRAM FILES (X86)") returned 0x0 [0083.128] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\", lpSrch="Program Files") returned 0x0 [0083.128] StrStrW (lpFirst="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\", lpSrch="PROGRAM FILES") returned 0x0 [0083.128] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0083.128] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.129] FindNextFileW (in: hFindFile=0x243978, lpFindFileData=0x19bf88 | out: lpFindFileData=0x19bf88) returned 1 [0083.129] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.129] FindNextFileW (in: hFindFile=0x243978, lpFindFileData=0x19bf88 | out: lpFindFileData=0x19bf88) returned 1 [0083.129] FindNextFileW (in: hFindFile=0x243978, lpFindFileData=0x19bf88 | out: lpFindFileData=0x19bf88) returned 1 [0083.129] FindNextFileW (in: hFindFile=0x243978, lpFindFileData=0x19bf88 | out: lpFindFileData=0x19bf88) returned 1 [0083.129] FindNextFileW (in: hFindFile=0x243978, lpFindFileData=0x19bf88 | out: lpFindFileData=0x19bf88) returned 1 [0083.129] FindNextFileW (in: hFindFile=0x243978, lpFindFileData=0x19bf88 | out: lpFindFileData=0x19bf88) returned 0 [0083.129] FindClose (in: hFindFile=0x243978 | out: hFindFile=0x243978) returned 1 [0083.129] FindClose (in: hFindFile=0x243978 | out: hFindFile=0x243978) returned 0 [0083.129] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0083.129] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0083.129] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0083.129] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0083.129] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0083.129] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0083.129] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0083.129] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0083.129] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 1 [0083.129] FindNextFileW (in: hFindFile=0x243878, lpFindFileData=0x19dbb8 | out: lpFindFileData=0x19dbb8) returned 0 [0083.129] FindClose (in: hFindFile=0x243878 | out: hFindFile=0x243878) returned 1 [0083.129] FindClose (in: hFindFile=0x243878 | out: hFindFile=0x243878) returned 0 [0083.129] Sleep (dwMilliseconds=0xffffffff) Thread: id = 2 os_tid = 0xe90 Thread: id = 3 os_tid = 0xf7c [0063.819] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x23bff64 | out: lphEnum=0x23bff64*=0x227768) returned 0x0 [0064.355] WNetEnumResourceW (in: hEnum=0x227768, lpcCount=0x23bff68, lpBuffer=0x22f4e0, lpBufferSize=0x23bff6c | out: lpcCount=0x23bff68, lpBuffer=0x22f4e0, lpBufferSize=0x23bff6c) returned 0x0 [0064.355] WNetCloseEnum (hEnum=0x227768) returned 0x0 [0064.355] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0x22f4e0, lphEnum=0x23bff34 | out: lphEnum=0x23bff34*=0x22b180) returned 0x0 [0064.359] WNetEnumResourceW (in: hEnum=0x22b180, lpcCount=0x23bff38, lpBuffer=0x239b70, lpBufferSize=0x23bff3c | out: lpcCount=0x23bff38, lpBuffer=0x239b70, lpBufferSize=0x23bff3c) returned 0x103 [0064.359] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0x22f500, lphEnum=0x23bff34 | out: lphEnum=0x23bff34*=0x0) returned 0x4b8 [0076.896] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0x22f520, lphEnum=0x23bff34 | out: lphEnum=0x23bff34*=0x0) returned 0x4c6 [0076.897] Sleep (dwMilliseconds=0x1388) Thread: id = 4 os_tid = 0xf84 [0064.343] lstrcpyW (in: lpString1=0x24bff68, lpString2="D:" | out: lpString1="D:") returned="D:" [0064.343] SetErrorMode (uMode=0x1) returned 0x1 [0064.343] lstrcpyW (in: lpString1=0x24bf320, lpString2="D:" | out: lpString1="D:") returned="D:" [0064.343] lstrcatW (in: lpString1="D:", lpString2="\\" | out: lpString1="D:\\") returned="D:\\" [0064.343] lstrcpyW (in: lpString1=0x24bef10, lpString2="D:\\" | out: lpString1="D:\\") returned="D:\\" [0064.343] lstrcatW (in: lpString1="D:\\", lpString2="*.*" | out: lpString1="D:\\*.*") returned="D:\\*.*" [0064.343] FindFirstFileW (in: lpFileName="D:\\*.*", lpFindFileData=0x24be358 | out: lpFindFileData=0x24be358) returned 0xffffffff [0064.343] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0064.343] lstrcpyW (in: lpString1=0x24bf320, lpString2="D:" | out: lpString1="D:") returned="D:" [0064.344] lstrcatW (in: lpString1="D:", lpString2="\\*.*" | out: lpString1="D:\\*.*") returned="D:\\*.*" [0064.344] StrStrW (lpFirst="D:\\", lpSrch="Desktop") returned 0x0 [0064.344] StrStrW (lpFirst="D:\\", lpSrch="DESKTOP") returned 0x0 [0064.344] SetErrorMode (uMode=0x1) returned 0x1 [0064.344] wsprintfW (in: param_1=0x24bdf1c, param_2="%s\\ClopReadMe.txt" | out: param_1="D:\\ClopReadMe.txt") returned 17 [0064.349] CreateFileW (lpFileName="D:\\ClopReadMe.txt" (normalized: "d:\\clopreadme.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0064.349] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0064.349] FindResourceW (hModule=0x400000, lpName=0xb207, lpType="SIXSIX") returned 0x418748 [0064.349] LoadResource (hModule=0x400000, hResInfo=0x418748) returned 0x418af0 [0064.349] LockResource (hResData=0x418af0) returned 0x418af0 [0064.349] SizeofResource (hModule=0x400000, hResInfo=0x418748) returned 0x5b9 [0064.354] CreateFileW (lpFileName="D:\\ClopReadMe.txt" (normalized: "d:\\clopreadme.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0064.354] FindFirstFileW (in: lpFileName="D:\\*.*", lpFindFileData=0x24be358 | out: lpFindFileData=0x24be358) returned 0xffffffff [0064.354] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0064.354] Sleep (dwMilliseconds=0x1388) Thread: id = 5 os_tid = 0xc38 [0077.433] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0077.433] lstrcpyW (in: lpString1=0x259fa1c, lpString2="-iMb6We3lfA1Z-Fb.m4a" | out: lpString1="-iMb6We3lfA1Z-Fb.m4a") returned="-iMb6We3lfA1Z-Fb.m4a" [0077.433] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0077.433] SetErrorMode (uMode=0x1) returned 0x1 [0077.433] lstrcpyW (in: lpString1=0x259e1ec, lpString2="-iMb6We3lfA1Z-Fb.m4a" | out: lpString1="-iMb6We3lfA1Z-Fb.m4a") returned="-iMb6We3lfA1Z-Fb.m4a" [0077.433] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\-iMb6We3lfA1Z-Fb.m4a") returned 50 [0077.433] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\-iMb6We3lfA1Z-Fb.m4a", dwFileAttributes=0x20) returned 1 [0077.434] StrStrW (lpFirst="-iMb6We3lfA1Z-Fb.m4a", lpSrch=".Clop") returned 0x0 [0077.434] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\-iMb6We3lfA1Z-Fb.m4a.Clop") returned 55 [0077.434] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\-iMb6We3lfA1Z-Fb.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\-imb6we3lfa1z-fb.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x258 [0077.435] ReadFile (in: hFile=0x258, lpBuffer=0x244b58, nNumberOfBytesToRead=0xc8cd, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x244b58*, lpNumberOfBytesRead=0x259e1d8*=0xc8cd, lpOverlapped=0x0) returned 1 [0077.435] CloseHandle (hObject=0x258) returned 1 [0077.436] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x360000 [0077.436] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0077.436] SetErrorMode (uMode=0x1) returned 0x1 [0077.436] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x2429e8) returned 1 [0077.761] CryptGenKey (in: hProv=0x2429e8, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x2436b8) returned 1 [0077.829] CryptExportKey (in: hKey=0x2436b8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0077.829] CryptExportKey (in: hKey=0x2436b8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x600000, pdwDataLen=0x259e1d4 | out: pbData=0x600000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0077.829] CryptDestroyKey (hKey=0x2436b8) returned 1 [0077.829] CryptReleaseContext (hProv=0x2429e8, dwFlags=0x0) returned 1 [0077.829] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\-iMb6We3lfA1Z-Fb.m4a.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\-imb6we3lfa1z-fb.m4a.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x298 [0077.830] WriteFile (in: hFile=0x298, lpBuffer=0x244b58*, nNumberOfBytesToWrite=0xc8cd, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x244b58*, lpNumberOfBytesWritten=0x259e1e8*=0xc8cd, lpOverlapped=0x0) returned 1 [0077.831] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc8cd [0077.831] WriteFile (in: hFile=0x298, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0077.831] SetFilePointer (in: hFile=0x298, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xc8d4 [0077.831] SetErrorMode (uMode=0x1) returned 0x1 [0077.831] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0077.831] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0077.831] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0077.833] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x256f20) returned 1 [0077.833] CryptImportPublicKeyInfoEx (in: hCryptProv=0x256f20, dwCertEncodingType=0x1, pInfo=0x229858, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x2439f8) returned 1 [0077.834] CryptEncrypt (in: hKey=0x2439f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0077.834] CryptEncrypt (in: hKey=0x2439f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x255ad8*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x255ad8*, pdwDataLen=0x259d19c*=0x80) returned 1 [0077.834] WriteFile (in: hFile=0x298, lpBuffer=0x255ad8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x255ad8*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0077.834] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0077.834] VirtualFree (lpAddress=0x360000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.834] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.834] CloseHandle (hObject=0x298) returned 1 [0077.836] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\-iMb6We3lfA1Z-Fb.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\-imb6we3lfa1z-fb.m4a")) returned 1 Thread: id = 6 os_tid = 0xc7c [0077.840] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0077.840] lstrcpyW (in: lpString1=0x259fa1c, lpString2="-uqdFL.swf" | out: lpString1="-uqdFL.swf") returned="-uqdFL.swf" [0077.840] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0077.840] SetErrorMode (uMode=0x1) returned 0x1 [0077.840] lstrcpyW (in: lpString1=0x259e1ec, lpString2="-uqdFL.swf" | out: lpString1="-uqdFL.swf") returned="-uqdFL.swf" [0077.840] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\-uqdFL.swf") returned 40 [0077.840] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\-uqdFL.swf", dwFileAttributes=0x20) returned 1 [0077.841] StrStrW (lpFirst="-uqdFL.swf", lpSrch=".Clop") returned 0x0 [0077.841] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\-uqdFL.swf.Clop") returned 45 [0077.841] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\-uqdFL.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\-uqdfl.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x270 [0077.841] ReadFile (in: hFile=0x270, lpBuffer=0x244b58, nNumberOfBytesToRead=0xb231, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x244b58*, lpNumberOfBytesRead=0x259e1d8*=0xb231, lpOverlapped=0x0) returned 1 [0077.842] CloseHandle (hObject=0x270) returned 1 [0077.842] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0077.842] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0077.842] SetErrorMode (uMode=0x1) returned 0x1 [0077.842] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x2553b0) returned 1 [0077.844] CryptGenKey (in: hProv=0x2553b0, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x243a78) returned 1 [0077.889] CryptExportKey (in: hKey=0x243a78, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0077.889] CryptExportKey (in: hKey=0x243a78, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x620000, pdwDataLen=0x259e1d4 | out: pbData=0x620000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0077.889] CryptDestroyKey (hKey=0x243a78) returned 1 [0077.889] CryptReleaseContext (hProv=0x2553b0, dwFlags=0x0) returned 1 [0077.890] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\-uqdFL.swf.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\-uqdfl.swf.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x270 [0077.890] WriteFile (in: hFile=0x270, lpBuffer=0x244b58*, nNumberOfBytesToWrite=0xb231, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x244b58*, lpNumberOfBytesWritten=0x259e1e8*=0xb231, lpOverlapped=0x0) returned 1 [0077.891] SetFilePointer (in: hFile=0x270, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xb231 [0077.891] WriteFile (in: hFile=0x270, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0077.891] SetFilePointer (in: hFile=0x270, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xb238 [0077.891] SetErrorMode (uMode=0x1) returned 0x1 [0077.891] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0077.891] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0077.891] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0077.891] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x2553b0) returned 1 [0077.892] CryptImportPublicKeyInfoEx (in: hCryptProv=0x2553b0, dwCertEncodingType=0x1, pInfo=0x2296b8, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x243a78) returned 1 [0077.892] CryptEncrypt (in: hKey=0x243a78, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0077.892] CryptEncrypt (in: hKey=0x243a78, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x255608*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x255608*, pdwDataLen=0x259d19c*=0x80) returned 1 [0077.892] WriteFile (in: hFile=0x270, lpBuffer=0x255608*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x255608*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0077.892] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0077.892] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.892] VirtualFree (lpAddress=0x620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.892] CloseHandle (hObject=0x270) returned 1 [0077.893] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\-uqdFL.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\-uqdfl.swf")) returned 1 Thread: id = 7 os_tid = 0xc88 [0077.897] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0077.897] lstrcpyW (in: lpString1=0x259fa1c, lpString2="-W1ANSK7kJ9rC2R Vp-0.avi" | out: lpString1="-W1ANSK7kJ9rC2R Vp-0.avi") returned="-W1ANSK7kJ9rC2R Vp-0.avi" [0077.897] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0077.897] SetErrorMode (uMode=0x1) returned 0x1 [0077.897] lstrcpyW (in: lpString1=0x259e1ec, lpString2="-W1ANSK7kJ9rC2R Vp-0.avi" | out: lpString1="-W1ANSK7kJ9rC2R Vp-0.avi") returned="-W1ANSK7kJ9rC2R Vp-0.avi" [0077.897] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\-W1ANSK7kJ9rC2R Vp-0.avi") returned 54 [0077.897] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\-W1ANSK7kJ9rC2R Vp-0.avi", dwFileAttributes=0x20) returned 1 [0077.898] StrStrW (lpFirst="-W1ANSK7kJ9rC2R Vp-0.avi", lpSrch=".Clop") returned 0x0 [0077.898] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\-W1ANSK7kJ9rC2R Vp-0.avi.Clop") returned 59 [0077.898] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\-W1ANSK7kJ9rC2R Vp-0.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\-w1ansk7kj9rc2r vp-0.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x29c [0077.899] ReadFile (in: hFile=0x29c, lpBuffer=0x256fa8, nNumberOfBytesToRead=0x160b7, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x256fa8*, lpNumberOfBytesRead=0x259e1d8*=0x160b7, lpOverlapped=0x0) returned 1 [0077.899] CloseHandle (hObject=0x29c) returned 1 [0077.899] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0077.899] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0077.900] SetErrorMode (uMode=0x1) returned 0x1 [0077.900] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x2545f8) returned 1 [0077.903] CryptGenKey (in: hProv=0x2545f8, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x2433f8) returned 1 [0077.946] CryptExportKey (in: hKey=0x2433f8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0077.946] CryptExportKey (in: hKey=0x2433f8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x620000, pdwDataLen=0x259e1d4 | out: pbData=0x620000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0077.946] CryptDestroyKey (hKey=0x2433f8) returned 1 [0077.946] CryptReleaseContext (hProv=0x2545f8, dwFlags=0x0) returned 1 [0077.946] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\-W1ANSK7kJ9rC2R Vp-0.avi.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\-w1ansk7kj9rc2r vp-0.avi.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x29c [0077.947] WriteFile (in: hFile=0x29c, lpBuffer=0x256fa8*, nNumberOfBytesToWrite=0x160b7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x256fa8*, lpNumberOfBytesWritten=0x259e1e8*=0x160b7, lpOverlapped=0x0) returned 1 [0077.948] SetFilePointer (in: hFile=0x29c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x160b7 [0077.949] WriteFile (in: hFile=0x29c, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0077.949] SetFilePointer (in: hFile=0x29c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x160be [0077.949] SetErrorMode (uMode=0x1) returned 0x1 [0077.949] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0077.949] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0077.949] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0077.949] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x26dc48) returned 1 [0077.949] CryptImportPublicKeyInfoEx (in: hCryptProv=0x26dc48, dwCertEncodingType=0x1, pInfo=0x229518, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x2436f8) returned 1 [0077.949] CryptEncrypt (in: hKey=0x2436f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0077.949] CryptEncrypt (in: hKey=0x2436f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26d068*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x26d068*, pdwDataLen=0x259d19c*=0x80) returned 1 [0077.949] WriteFile (in: hFile=0x29c, lpBuffer=0x26d068*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x26d068*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0077.949] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0077.949] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.950] VirtualFree (lpAddress=0x620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.950] CloseHandle (hObject=0x29c) returned 1 [0077.951] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\-W1ANSK7kJ9rC2R Vp-0.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\-w1ansk7kj9rc2r vp-0.avi")) returned 1 Thread: id = 8 os_tid = 0xc84 [0077.956] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0077.956] lstrcpyW (in: lpString1=0x259fa1c, lpString2="28exXMRcr1nP4Rj3.mp4" | out: lpString1="28exXMRcr1nP4Rj3.mp4") returned="28exXMRcr1nP4Rj3.mp4" [0077.956] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0077.956] SetErrorMode (uMode=0x1) returned 0x1 [0077.956] lstrcpyW (in: lpString1=0x259e1ec, lpString2="28exXMRcr1nP4Rj3.mp4" | out: lpString1="28exXMRcr1nP4Rj3.mp4") returned="28exXMRcr1nP4Rj3.mp4" [0077.956] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\28exXMRcr1nP4Rj3.mp4") returned 50 [0077.956] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\28exXMRcr1nP4Rj3.mp4", dwFileAttributes=0x20) returned 1 [0077.957] StrStrW (lpFirst="28exXMRcr1nP4Rj3.mp4", lpSrch=".Clop") returned 0x0 [0077.957] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\28exXMRcr1nP4Rj3.mp4.Clop") returned 55 [0077.957] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\28exXMRcr1nP4Rj3.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\28exxmrcr1np4rj3.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0077.957] ReadFile (in: hFile=0x2a0, lpBuffer=0x256fa8, nNumberOfBytesToRead=0x11252, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x256fa8*, lpNumberOfBytesRead=0x259e1d8*=0x11252, lpOverlapped=0x0) returned 1 [0077.957] CloseHandle (hObject=0x2a0) returned 1 [0077.958] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0077.958] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0077.958] SetErrorMode (uMode=0x1) returned 0x1 [0077.958] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x26d2d8) returned 1 [0077.960] CryptGenKey (in: hProv=0x26d2d8, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x2437f8) returned 1 [0077.984] CryptExportKey (in: hKey=0x2437f8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0077.984] CryptExportKey (in: hKey=0x2437f8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x620000, pdwDataLen=0x259e1d4 | out: pbData=0x620000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0077.984] CryptDestroyKey (hKey=0x2437f8) returned 1 [0077.984] CryptReleaseContext (hProv=0x26d2d8, dwFlags=0x0) returned 1 [0077.984] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\28exXMRcr1nP4Rj3.mp4.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\28exxmrcr1np4rj3.mp4.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a0 [0077.984] WriteFile (in: hFile=0x2a0, lpBuffer=0x256fa8*, nNumberOfBytesToWrite=0x11252, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x256fa8*, lpNumberOfBytesWritten=0x259e1e8*=0x11252, lpOverlapped=0x0) returned 1 [0077.986] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x11252 [0077.986] WriteFile (in: hFile=0x2a0, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0077.986] SetFilePointer (in: hFile=0x2a0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x11259 [0077.986] SetErrorMode (uMode=0x1) returned 0x1 [0077.986] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0077.986] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0077.986] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0077.986] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x26d2d8) returned 1 [0077.986] CryptImportPublicKeyInfoEx (in: hCryptProv=0x26d2d8, dwCertEncodingType=0x1, pInfo=0x229788, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x243638) returned 1 [0077.986] CryptEncrypt (in: hKey=0x243638, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0077.986] CryptEncrypt (in: hKey=0x243638, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26d360*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x26d360*, pdwDataLen=0x259d19c*=0x80) returned 1 [0077.987] WriteFile (in: hFile=0x2a0, lpBuffer=0x26d360*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x26d360*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0077.987] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0077.987] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.987] VirtualFree (lpAddress=0x620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.987] CloseHandle (hObject=0x2a0) returned 1 [0077.989] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\28exXMRcr1nP4Rj3.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\28exxmrcr1np4rj3.mp4")) returned 1 Thread: id = 9 os_tid = 0xc80 [0077.993] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0077.993] lstrcpyW (in: lpString1=0x259fa1c, lpString2="2hw0VHoOhU P3sOPU0.docx" | out: lpString1="2hw0VHoOhU P3sOPU0.docx") returned="2hw0VHoOhU P3sOPU0.docx" [0077.993] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0077.993] SetErrorMode (uMode=0x1) returned 0x1 [0077.993] lstrcpyW (in: lpString1=0x259e1ec, lpString2="2hw0VHoOhU P3sOPU0.docx" | out: lpString1="2hw0VHoOhU P3sOPU0.docx") returned="2hw0VHoOhU P3sOPU0.docx" [0077.993] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\2hw0VHoOhU P3sOPU0.docx") returned 53 [0077.993] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\2hw0VHoOhU P3sOPU0.docx", dwFileAttributes=0x20) returned 1 [0077.993] StrStrW (lpFirst="2hw0VHoOhU P3sOPU0.docx", lpSrch=".Clop") returned 0x0 [0077.993] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\2hw0VHoOhU P3sOPU0.docx.Clop") returned 58 [0077.993] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\2hw0VHoOhU P3sOPU0.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\2hw0vhoohu p3sopu0.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a4 [0077.993] ReadFile (in: hFile=0x2a4, lpBuffer=0x2683d0, nNumberOfBytesToRead=0x318f, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x2683d0*, lpNumberOfBytesRead=0x259e1d8*=0x318f, lpOverlapped=0x0) returned 1 [0077.994] CloseHandle (hObject=0x2a4) returned 1 [0077.994] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0077.994] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0077.994] SetErrorMode (uMode=0x1) returned 0x1 [0077.994] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x255ef0) returned 1 [0077.997] CryptGenKey (in: hProv=0x255ef0, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x2437f8) returned 1 [0078.009] CryptExportKey (in: hKey=0x2437f8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0078.009] CryptExportKey (in: hKey=0x2437f8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x620000, pdwDataLen=0x259e1d4 | out: pbData=0x620000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0078.009] CryptDestroyKey (hKey=0x2437f8) returned 1 [0078.009] CryptReleaseContext (hProv=0x255ef0, dwFlags=0x0) returned 1 [0078.009] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\2hw0VHoOhU P3sOPU0.docx.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\2hw0vhoohu p3sopu0.docx.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a4 [0078.009] WriteFile (in: hFile=0x2a4, lpBuffer=0x2683d0*, nNumberOfBytesToWrite=0x318f, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x2683d0*, lpNumberOfBytesWritten=0x259e1e8*=0x318f, lpOverlapped=0x0) returned 1 [0078.010] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x318f [0078.010] WriteFile (in: hFile=0x2a4, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0078.010] SetFilePointer (in: hFile=0x2a4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x3196 [0078.010] SetErrorMode (uMode=0x1) returned 0x1 [0078.010] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0078.010] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0078.010] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0078.010] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x255ef0) returned 1 [0078.011] CryptImportPublicKeyInfoEx (in: hCryptProv=0x255ef0, dwCertEncodingType=0x1, pInfo=0x229378, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x2436b8) returned 1 [0078.011] CryptEncrypt (in: hKey=0x2436b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0078.011] CryptEncrypt (in: hKey=0x2436b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26c6b8*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x26c6b8*, pdwDataLen=0x259d19c*=0x80) returned 1 [0078.011] WriteFile (in: hFile=0x2a4, lpBuffer=0x26c6b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x26c6b8*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0078.011] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0078.011] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.011] VirtualFree (lpAddress=0x620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.011] CloseHandle (hObject=0x2a4) returned 1 [0078.013] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\2hw0VHoOhU P3sOPU0.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\2hw0vhoohu p3sopu0.docx")) returned 1 Thread: id = 10 os_tid = 0xc78 [0078.017] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0078.017] lstrcpyW (in: lpString1=0x259fa1c, lpString2="9rQFVz_dAB30dr89aphB.jpg" | out: lpString1="9rQFVz_dAB30dr89aphB.jpg") returned="9rQFVz_dAB30dr89aphB.jpg" [0078.017] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0078.017] SetErrorMode (uMode=0x1) returned 0x1 [0078.017] lstrcpyW (in: lpString1=0x259e1ec, lpString2="9rQFVz_dAB30dr89aphB.jpg" | out: lpString1="9rQFVz_dAB30dr89aphB.jpg") returned="9rQFVz_dAB30dr89aphB.jpg" [0078.017] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\9rQFVz_dAB30dr89aphB.jpg") returned 54 [0078.017] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\9rQFVz_dAB30dr89aphB.jpg", dwFileAttributes=0x20) returned 1 [0078.017] StrStrW (lpFirst="9rQFVz_dAB30dr89aphB.jpg", lpSrch=".Clop") returned 0x0 [0078.017] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\9rQFVz_dAB30dr89aphB.jpg.Clop") returned 59 [0078.018] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\9rQFVz_dAB30dr89aphB.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\9rqfvz_dab30dr89aphb.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a8 [0078.018] ReadFile (in: hFile=0x2a8, lpBuffer=0x26dfe8, nNumberOfBytesToRead=0x155d8, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x26dfe8*, lpNumberOfBytesRead=0x259e1d8*=0x155d8, lpOverlapped=0x0) returned 1 [0078.019] CloseHandle (hObject=0x2a8) returned 1 [0078.019] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0078.019] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0078.020] SetErrorMode (uMode=0x1) returned 0x1 [0078.020] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x22d980) returned 1 [0078.022] CryptGenKey (in: hProv=0x22d980, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x243378) returned 1 [0078.053] CryptExportKey (in: hKey=0x243378, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0078.054] CryptExportKey (in: hKey=0x243378, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x620000, pdwDataLen=0x259e1d4 | out: pbData=0x620000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0078.054] CryptDestroyKey (hKey=0x243378) returned 1 [0078.054] CryptReleaseContext (hProv=0x22d980, dwFlags=0x0) returned 1 [0078.054] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\9rQFVz_dAB30dr89aphB.jpg.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\9rqfvz_dab30dr89aphb.jpg.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a8 [0078.054] WriteFile (in: hFile=0x2a8, lpBuffer=0x26dfe8*, nNumberOfBytesToWrite=0x155d8, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x26dfe8*, lpNumberOfBytesWritten=0x259e1e8*=0x155d8, lpOverlapped=0x0) returned 1 [0078.056] SetFilePointer (in: hFile=0x2a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x155d8 [0078.056] WriteFile (in: hFile=0x2a8, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0078.056] SetFilePointer (in: hFile=0x2a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x155df [0078.056] SetErrorMode (uMode=0x1) returned 0x1 [0078.056] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0078.056] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0078.056] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0078.056] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x22e420) returned 1 [0078.056] CryptImportPublicKeyInfoEx (in: hCryptProv=0x22e420, dwCertEncodingType=0x1, pInfo=0x2295e8, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x2438b8) returned 1 [0078.056] CryptEncrypt (in: hKey=0x2438b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0078.056] CryptEncrypt (in: hKey=0x2438b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x22e5b8*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x22e5b8*, pdwDataLen=0x259d19c*=0x80) returned 1 [0078.056] WriteFile (in: hFile=0x2a8, lpBuffer=0x22e5b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x22e5b8*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0078.056] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0078.056] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.057] VirtualFree (lpAddress=0x620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.057] CloseHandle (hObject=0x2a8) returned 1 [0078.059] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\9rQFVz_dAB30dr89aphB.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\9rqfvz_dab30dr89aphb.jpg")) returned 1 Thread: id = 11 os_tid = 0xcac [0078.063] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0078.063] lstrcpyW (in: lpString1=0x259fa1c, lpString2="AawVwHL.m4a" | out: lpString1="AawVwHL.m4a") returned="AawVwHL.m4a" [0078.063] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0078.063] SetErrorMode (uMode=0x1) returned 0x1 [0078.063] lstrcpyW (in: lpString1=0x259e1ec, lpString2="AawVwHL.m4a" | out: lpString1="AawVwHL.m4a") returned="AawVwHL.m4a" [0078.063] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\AawVwHL.m4a") returned 41 [0078.063] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\AawVwHL.m4a", dwFileAttributes=0x20) returned 1 [0078.063] StrStrW (lpFirst="AawVwHL.m4a", lpSrch=".Clop") returned 0x0 [0078.063] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\AawVwHL.m4a.Clop") returned 46 [0078.063] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\AawVwHL.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\aawvwhl.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0078.064] ReadFile (in: hFile=0x2ac, lpBuffer=0x26dfe8, nNumberOfBytesToRead=0x117aa, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x26dfe8*, lpNumberOfBytesRead=0x259e1d8*=0x117aa, lpOverlapped=0x0) returned 1 [0078.064] CloseHandle (hObject=0x2ac) returned 1 [0078.064] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0078.064] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0078.065] SetErrorMode (uMode=0x1) returned 0x1 [0078.065] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x22e640) returned 1 [0078.067] CryptGenKey (in: hProv=0x22e640, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x243938) returned 1 [0078.116] CryptExportKey (in: hKey=0x243938, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0078.116] CryptExportKey (in: hKey=0x243938, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x620000, pdwDataLen=0x259e1d4 | out: pbData=0x620000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0078.116] CryptDestroyKey (hKey=0x243938) returned 1 [0078.116] CryptReleaseContext (hProv=0x22e640, dwFlags=0x0) returned 1 [0078.116] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\AawVwHL.m4a.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\aawvwhl.m4a.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0078.116] WriteFile (in: hFile=0x2ac, lpBuffer=0x26dfe8*, nNumberOfBytesToWrite=0x117aa, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x26dfe8*, lpNumberOfBytesWritten=0x259e1e8*=0x117aa, lpOverlapped=0x0) returned 1 [0078.118] SetFilePointer (in: hFile=0x2ac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x117aa [0078.118] WriteFile (in: hFile=0x2ac, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0078.118] SetFilePointer (in: hFile=0x2ac, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x117b1 [0078.118] SetErrorMode (uMode=0x1) returned 0x1 [0078.118] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0078.118] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0078.118] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0078.118] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x22db18) returned 1 [0078.118] CryptImportPublicKeyInfoEx (in: hCryptProv=0x22db18, dwCertEncodingType=0x1, pInfo=0x229448, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x243738) returned 1 [0078.118] CryptEncrypt (in: hKey=0x243738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0078.118] CryptEncrypt (in: hKey=0x243738, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x22da08*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x22da08*, pdwDataLen=0x259d19c*=0x80) returned 1 [0078.118] WriteFile (in: hFile=0x2ac, lpBuffer=0x22da08*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x22da08*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0078.118] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0078.119] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.119] VirtualFree (lpAddress=0x620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.119] CloseHandle (hObject=0x2ac) returned 1 [0078.122] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\AawVwHL.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\aawvwhl.m4a")) returned 1 Thread: id = 12 os_tid = 0xcb4 [0078.126] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0078.126] lstrcpyW (in: lpString1=0x259fa1c, lpString2="AdgNJLl.avi" | out: lpString1="AdgNJLl.avi") returned="AdgNJLl.avi" [0078.126] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0078.126] SetErrorMode (uMode=0x1) returned 0x1 [0078.126] lstrcpyW (in: lpString1=0x259e1ec, lpString2="AdgNJLl.avi" | out: lpString1="AdgNJLl.avi") returned="AdgNJLl.avi" [0078.126] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\AdgNJLl.avi") returned 41 [0078.126] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\AdgNJLl.avi", dwFileAttributes=0x20) returned 1 [0078.126] StrStrW (lpFirst="AdgNJLl.avi", lpSrch=".Clop") returned 0x0 [0078.126] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\AdgNJLl.avi.Clop") returned 46 [0078.126] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\AdgNJLl.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\adgnjll.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2b0 [0078.127] ReadFile (in: hFile=0x2b0, lpBuffer=0x244b58, nNumberOfBytesToRead=0x3822, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x244b58*, lpNumberOfBytesRead=0x259e1d8*=0x3822, lpOverlapped=0x0) returned 1 [0078.127] CloseHandle (hObject=0x2b0) returned 1 [0078.127] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0078.127] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0078.128] SetErrorMode (uMode=0x1) returned 0x1 [0078.128] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x22dc28) returned 1 [0078.130] CryptGenKey (in: hProv=0x22dc28, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x243938) returned 1 [0078.144] CryptExportKey (in: hKey=0x243938, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0078.144] CryptExportKey (in: hKey=0x243938, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x620000, pdwDataLen=0x259e1d4 | out: pbData=0x620000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0078.144] CryptDestroyKey (hKey=0x243938) returned 1 [0078.144] CryptReleaseContext (hProv=0x22dc28, dwFlags=0x0) returned 1 [0078.144] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\AdgNJLl.avi.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\adgnjll.avi.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2b0 [0078.144] WriteFile (in: hFile=0x2b0, lpBuffer=0x244b58*, nNumberOfBytesToWrite=0x3822, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x244b58*, lpNumberOfBytesWritten=0x259e1e8*=0x3822, lpOverlapped=0x0) returned 1 [0078.145] SetFilePointer (in: hFile=0x2b0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x3822 [0078.145] WriteFile (in: hFile=0x2b0, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0078.145] SetFilePointer (in: hFile=0x2b0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x3829 [0078.145] SetErrorMode (uMode=0x1) returned 0x1 [0078.145] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0078.145] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0078.145] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0078.145] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x22dcb0) returned 1 [0078.145] CryptImportPublicKeyInfoEx (in: hCryptProv=0x22dcb0, dwCertEncodingType=0x1, pInfo=0x249c18, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x243378) returned 1 [0078.145] CryptEncrypt (in: hKey=0x243378, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0078.146] CryptEncrypt (in: hKey=0x243378, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x22dba0*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x22dba0*, pdwDataLen=0x259d19c*=0x80) returned 1 [0078.146] WriteFile (in: hFile=0x2b0, lpBuffer=0x22dba0*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x22dba0*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0078.146] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0078.146] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.146] VirtualFree (lpAddress=0x620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.146] CloseHandle (hObject=0x2b0) returned 1 [0078.147] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\AdgNJLl.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\adgnjll.avi")) returned 1 Thread: id = 13 os_tid = 0xcbc [0078.150] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0078.150] lstrcpyW (in: lpString1=0x259fa1c, lpString2="BLH3rhTCDoUHvqqP.mp3" | out: lpString1="BLH3rhTCDoUHvqqP.mp3") returned="BLH3rhTCDoUHvqqP.mp3" [0078.150] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0078.150] SetErrorMode (uMode=0x1) returned 0x1 [0078.150] lstrcpyW (in: lpString1=0x259e1ec, lpString2="BLH3rhTCDoUHvqqP.mp3" | out: lpString1="BLH3rhTCDoUHvqqP.mp3") returned="BLH3rhTCDoUHvqqP.mp3" [0078.150] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\BLH3rhTCDoUHvqqP.mp3") returned 50 [0078.150] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\BLH3rhTCDoUHvqqP.mp3", dwFileAttributes=0x20) returned 1 [0078.150] StrStrW (lpFirst="BLH3rhTCDoUHvqqP.mp3", lpSrch=".Clop") returned 0x0 [0078.150] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\BLH3rhTCDoUHvqqP.mp3.Clop") returned 55 [0078.150] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\BLH3rhTCDoUHvqqP.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\blh3rhtcdouhvqqp.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2b4 [0078.151] ReadFile (in: hFile=0x2b4, lpBuffer=0x26dfe8, nNumberOfBytesToRead=0x14083, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x26dfe8*, lpNumberOfBytesRead=0x259e1d8*=0x14083, lpOverlapped=0x0) returned 1 [0078.152] CloseHandle (hObject=0x2b4) returned 1 [0078.152] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0078.153] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0078.153] SetErrorMode (uMode=0x1) returned 0x1 [0078.153] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x22e178) returned 1 [0078.155] CryptGenKey (in: hProv=0x22e178, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x243938) returned 1 [0078.189] CryptExportKey (in: hKey=0x243938, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0078.189] CryptExportKey (in: hKey=0x243938, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x620000, pdwDataLen=0x259e1d4 | out: pbData=0x620000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0078.189] CryptDestroyKey (hKey=0x243938) returned 1 [0078.189] CryptReleaseContext (hProv=0x22e178, dwFlags=0x0) returned 1 [0078.190] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\BLH3rhTCDoUHvqqP.mp3.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\blh3rhtcdouhvqqp.mp3.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2b4 [0078.190] WriteFile (in: hFile=0x2b4, lpBuffer=0x26dfe8*, nNumberOfBytesToWrite=0x14083, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x26dfe8*, lpNumberOfBytesWritten=0x259e1e8*=0x14083, lpOverlapped=0x0) returned 1 [0078.191] SetFilePointer (in: hFile=0x2b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x14083 [0078.191] WriteFile (in: hFile=0x2b4, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0078.191] SetFilePointer (in: hFile=0x2b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x1408a [0078.191] SetErrorMode (uMode=0x1) returned 0x1 [0078.191] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0078.192] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0078.192] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0078.192] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x22e0f0) returned 1 [0078.192] CryptImportPublicKeyInfoEx (in: hCryptProv=0x22e0f0, dwCertEncodingType=0x1, pInfo=0x248968, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x2438f8) returned 1 [0078.192] CryptEncrypt (in: hKey=0x2438f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0078.192] CryptEncrypt (in: hKey=0x2438f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x22df58*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x22df58*, pdwDataLen=0x259d19c*=0x80) returned 1 [0078.192] WriteFile (in: hFile=0x2b4, lpBuffer=0x22df58*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x22df58*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0078.192] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0078.193] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.193] VirtualFree (lpAddress=0x620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.193] CloseHandle (hObject=0x2b4) returned 1 [0078.195] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\BLH3rhTCDoUHvqqP.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\blh3rhtcdouhvqqp.mp3")) returned 1 Thread: id = 14 os_tid = 0xcb8 [0078.687] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0078.687] lstrcpyW (in: lpString1=0x259fa1c, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0078.687] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0078.687] SetErrorMode (uMode=0x1) returned 0x1 [0078.687] lstrcpyW (in: lpString1=0x259e1ec, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0078.687] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\desktop.ini") returned 41 [0078.687] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\desktop.ini", dwFileAttributes=0x20) returned 1 [0078.688] StrStrW (lpFirst="desktop.ini", lpSrch=".Clop") returned 0x0 [0078.688] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\desktop.ini.Clop") returned 46 [0078.688] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\desktop.ini" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2b8 [0078.688] ReadFile (in: hFile=0x2b8, lpBuffer=0x256918, nNumberOfBytesToRead=0x11a, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x256918*, lpNumberOfBytesRead=0x259e1d8*=0x11a, lpOverlapped=0x0) returned 1 [0078.689] CloseHandle (hObject=0x2b8) returned 1 [0078.689] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0078.689] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0078.689] SetErrorMode (uMode=0x1) returned 0x1 [0078.689] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x22dc28) returned 1 [0078.692] CryptGenKey (in: hProv=0x22dc28, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x2433f8) returned 1 [0078.749] CryptExportKey (in: hKey=0x2433f8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0078.749] CryptExportKey (in: hKey=0x2433f8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x620000, pdwDataLen=0x259e1d4 | out: pbData=0x620000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0078.749] CryptDestroyKey (hKey=0x2433f8) returned 1 [0078.749] CryptReleaseContext (hProv=0x22dc28, dwFlags=0x0) returned 1 [0078.749] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\desktop.ini.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\desktop.ini.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2b8 [0078.749] WriteFile (in: hFile=0x2b8, lpBuffer=0x256918*, nNumberOfBytesToWrite=0x11a, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x256918*, lpNumberOfBytesWritten=0x259e1e8*=0x11a, lpOverlapped=0x0) returned 1 [0078.750] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x11a [0078.750] WriteFile (in: hFile=0x2b8, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0078.750] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x121 [0078.750] SetErrorMode (uMode=0x1) returned 0x1 [0078.750] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0078.750] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0078.750] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0078.750] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x22e310) returned 1 [0078.750] CryptImportPublicKeyInfoEx (in: hCryptProv=0x22e310, dwCertEncodingType=0x1, pInfo=0x249a78, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x2437f8) returned 1 [0078.750] CryptEncrypt (in: hKey=0x2437f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0078.750] CryptEncrypt (in: hKey=0x2437f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x22ded0*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x22ded0*, pdwDataLen=0x259d19c*=0x80) returned 1 [0078.750] WriteFile (in: hFile=0x2b8, lpBuffer=0x22ded0*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x22ded0*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0078.750] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0078.750] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.751] VirtualFree (lpAddress=0x620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.751] CloseHandle (hObject=0x2b8) returned 1 [0078.751] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\desktop.ini" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\desktop.ini")) returned 1 Thread: id = 15 os_tid = 0xcb0 [0078.755] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0078.755] lstrcpyW (in: lpString1=0x259fa1c, lpString2="JK-lp.gif" | out: lpString1="JK-lp.gif") returned="JK-lp.gif" [0078.755] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0078.755] SetErrorMode (uMode=0x1) returned 0x1 [0078.755] lstrcpyW (in: lpString1=0x259e1ec, lpString2="JK-lp.gif" | out: lpString1="JK-lp.gif") returned="JK-lp.gif" [0078.755] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\JK-lp.gif") returned 39 [0078.755] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\JK-lp.gif", dwFileAttributes=0x20) returned 1 [0078.756] StrStrW (lpFirst="JK-lp.gif", lpSrch=".Clop") returned 0x0 [0078.756] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\JK-lp.gif.Clop") returned 44 [0078.756] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\JK-lp.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\jk-lp.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2bc [0078.757] ReadFile (in: hFile=0x2bc, lpBuffer=0x283f60, nNumberOfBytesToRead=0x16691, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x283f60*, lpNumberOfBytesRead=0x259e1d8*=0x16691, lpOverlapped=0x0) returned 1 [0078.757] CloseHandle (hObject=0x2bc) returned 1 [0078.757] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0078.757] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0078.758] SetErrorMode (uMode=0x1) returned 0x1 [0078.758] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x22dc28) returned 1 [0078.760] CryptGenKey (in: hProv=0x22dc28, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x243938) returned 1 [0078.869] CryptExportKey (in: hKey=0x243938, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0078.869] CryptExportKey (in: hKey=0x243938, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x620000, pdwDataLen=0x259e1d4 | out: pbData=0x620000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0078.869] CryptDestroyKey (hKey=0x243938) returned 1 [0078.869] CryptReleaseContext (hProv=0x22dc28, dwFlags=0x0) returned 1 [0078.869] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\JK-lp.gif.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\jk-lp.gif.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2bc [0078.870] WriteFile (in: hFile=0x2bc, lpBuffer=0x283f60*, nNumberOfBytesToWrite=0x16691, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x283f60*, lpNumberOfBytesWritten=0x259e1e8*=0x16691, lpOverlapped=0x0) returned 1 [0078.871] SetFilePointer (in: hFile=0x2bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x16691 [0078.871] WriteFile (in: hFile=0x2bc, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0078.871] SetFilePointer (in: hFile=0x2bc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x16698 [0078.872] SetErrorMode (uMode=0x1) returned 0x1 [0078.872] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0078.872] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0078.872] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0078.872] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x22da90) returned 1 [0078.872] CryptImportPublicKeyInfoEx (in: hCryptProv=0x22da90, dwCertEncodingType=0x1, pInfo=0x2483b8, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x243938) returned 1 [0078.872] CryptEncrypt (in: hKey=0x243938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0078.872] CryptEncrypt (in: hKey=0x243938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x22dfe0*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x22dfe0*, pdwDataLen=0x259d19c*=0x80) returned 1 [0078.872] WriteFile (in: hFile=0x2bc, lpBuffer=0x22dfe0*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x22dfe0*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0078.872] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0078.873] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.873] VirtualFree (lpAddress=0x620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.873] CloseHandle (hObject=0x2bc) returned 1 [0078.875] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\JK-lp.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\jk-lp.gif")) returned 1 Thread: id = 16 os_tid = 0xca8 [0078.879] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0078.879] lstrcpyW (in: lpString1=0x259fa1c, lpString2="Jl0vZzRw qEogGC.mp3" | out: lpString1="Jl0vZzRw qEogGC.mp3") returned="Jl0vZzRw qEogGC.mp3" [0078.879] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0078.879] SetErrorMode (uMode=0x1) returned 0x1 [0078.879] lstrcpyW (in: lpString1=0x259e1ec, lpString2="Jl0vZzRw qEogGC.mp3" | out: lpString1="Jl0vZzRw qEogGC.mp3") returned="Jl0vZzRw qEogGC.mp3" [0078.879] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Jl0vZzRw qEogGC.mp3") returned 49 [0078.879] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Jl0vZzRw qEogGC.mp3", dwFileAttributes=0x20) returned 1 [0078.880] StrStrW (lpFirst="Jl0vZzRw qEogGC.mp3", lpSrch=".Clop") returned 0x0 [0078.880] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Jl0vZzRw qEogGC.mp3.Clop") returned 54 [0078.880] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Jl0vZzRw qEogGC.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\jl0vzzrw qeoggc.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0 [0078.880] ReadFile (in: hFile=0x2c0, lpBuffer=0x24a390, nNumberOfBytesToRead=0x47fd, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x24a390*, lpNumberOfBytesRead=0x259e1d8*=0x47fd, lpOverlapped=0x0) returned 1 [0078.881] CloseHandle (hObject=0x2c0) returned 1 [0078.881] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0078.881] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0078.881] SetErrorMode (uMode=0x1) returned 0x1 [0078.881] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x22e7d8) returned 1 [0078.883] CryptGenKey (in: hProv=0x22e7d8, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x243978) returned 1 [0078.904] CryptExportKey (in: hKey=0x243978, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0078.905] CryptExportKey (in: hKey=0x243978, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x620000, pdwDataLen=0x259e1d4 | out: pbData=0x620000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0078.905] CryptDestroyKey (hKey=0x243978) returned 1 [0078.905] CryptReleaseContext (hProv=0x22e7d8, dwFlags=0x0) returned 1 [0078.905] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Jl0vZzRw qEogGC.mp3.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\jl0vzzrw qeoggc.mp3.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c0 [0078.905] WriteFile (in: hFile=0x2c0, lpBuffer=0x24a390*, nNumberOfBytesToWrite=0x47fd, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x24a390*, lpNumberOfBytesWritten=0x259e1e8*=0x47fd, lpOverlapped=0x0) returned 1 [0078.906] SetFilePointer (in: hFile=0x2c0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x47fd [0078.906] WriteFile (in: hFile=0x2c0, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0078.906] SetFilePointer (in: hFile=0x2c0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x4804 [0078.906] SetErrorMode (uMode=0x1) returned 0x1 [0078.906] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0078.906] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0078.906] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0078.906] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x22e640) returned 1 [0078.906] CryptImportPublicKeyInfoEx (in: hCryptProv=0x22e640, dwCertEncodingType=0x1, pInfo=0x249188, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x243ab8) returned 1 [0078.906] CryptEncrypt (in: hKey=0x243ab8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0078.906] CryptEncrypt (in: hKey=0x243ab8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x22d8f8*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x22d8f8*, pdwDataLen=0x259d19c*=0x80) returned 1 [0078.907] WriteFile (in: hFile=0x2c0, lpBuffer=0x22d8f8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x22d8f8*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0078.907] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0078.907] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.907] VirtualFree (lpAddress=0x620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.907] CloseHandle (hObject=0x2c0) returned 1 [0078.909] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Jl0vZzRw qEogGC.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\jl0vzzrw qeoggc.mp3")) returned 1 Thread: id = 17 os_tid = 0xca0 [0078.912] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0078.912] lstrcpyW (in: lpString1=0x259fa1c, lpString2="Jqmw2bG-TElFXFN.swf" | out: lpString1="Jqmw2bG-TElFXFN.swf") returned="Jqmw2bG-TElFXFN.swf" [0078.912] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0078.912] SetErrorMode (uMode=0x1) returned 0x1 [0078.912] lstrcpyW (in: lpString1=0x259e1ec, lpString2="Jqmw2bG-TElFXFN.swf" | out: lpString1="Jqmw2bG-TElFXFN.swf") returned="Jqmw2bG-TElFXFN.swf" [0078.912] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Jqmw2bG-TElFXFN.swf") returned 49 [0078.912] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Jqmw2bG-TElFXFN.swf", dwFileAttributes=0x20) returned 1 [0078.912] StrStrW (lpFirst="Jqmw2bG-TElFXFN.swf", lpSrch=".Clop") returned 0x0 [0078.912] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Jqmw2bG-TElFXFN.swf.Clop") returned 54 [0078.912] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Jqmw2bG-TElFXFN.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\jqmw2bg-telfxfn.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0078.913] ReadFile (in: hFile=0x2c4, lpBuffer=0x256fa8, nNumberOfBytesToRead=0xe6c8, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x256fa8*, lpNumberOfBytesRead=0x259e1d8*=0xe6c8, lpOverlapped=0x0) returned 1 [0078.914] CloseHandle (hObject=0x2c4) returned 1 [0078.914] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0078.914] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0078.914] SetErrorMode (uMode=0x1) returned 0x1 [0078.914] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x22dd38) returned 1 [0078.916] CryptGenKey (in: hProv=0x22dd38, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x243978) returned 1 [0078.966] CryptExportKey (in: hKey=0x243978, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0078.966] CryptExportKey (in: hKey=0x243978, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x620000, pdwDataLen=0x259e1d4 | out: pbData=0x620000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0078.966] CryptDestroyKey (hKey=0x243978) returned 1 [0078.966] CryptReleaseContext (hProv=0x22dd38, dwFlags=0x0) returned 1 [0078.967] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Jqmw2bG-TElFXFN.swf.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\jqmw2bg-telfxfn.swf.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0078.967] WriteFile (in: hFile=0x2c4, lpBuffer=0x256fa8*, nNumberOfBytesToWrite=0xe6c8, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x256fa8*, lpNumberOfBytesWritten=0x259e1e8*=0xe6c8, lpOverlapped=0x0) returned 1 [0078.968] SetFilePointer (in: hFile=0x2c4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xe6c8 [0078.968] WriteFile (in: hFile=0x2c4, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0078.969] SetFilePointer (in: hFile=0x2c4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xe6cf [0078.969] SetErrorMode (uMode=0x1) returned 0x1 [0078.969] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0078.969] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0078.969] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0078.969] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x22e6c8) returned 1 [0078.969] CryptImportPublicKeyInfoEx (in: hCryptProv=0x22e6c8, dwCertEncodingType=0x1, pInfo=0x248d78, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x2433f8) returned 1 [0078.969] CryptEncrypt (in: hKey=0x2433f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0078.969] CryptEncrypt (in: hKey=0x2433f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x22d980*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x22d980*, pdwDataLen=0x259d19c*=0x80) returned 1 [0078.969] WriteFile (in: hFile=0x2c4, lpBuffer=0x22d980*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x22d980*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0078.969] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0078.970] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.970] VirtualFree (lpAddress=0x620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.970] CloseHandle (hObject=0x2c4) returned 1 [0078.971] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Jqmw2bG-TElFXFN.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\jqmw2bg-telfxfn.swf")) returned 1 Thread: id = 18 os_tid = 0xc9c [0078.975] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0078.975] lstrcpyW (in: lpString1=0x259fa1c, lpString2="jzlaMjeyc.m4a" | out: lpString1="jzlaMjeyc.m4a") returned="jzlaMjeyc.m4a" [0078.975] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0078.975] SetErrorMode (uMode=0x1) returned 0x1 [0078.975] lstrcpyW (in: lpString1=0x259e1ec, lpString2="jzlaMjeyc.m4a" | out: lpString1="jzlaMjeyc.m4a") returned="jzlaMjeyc.m4a" [0078.975] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\jzlaMjeyc.m4a") returned 43 [0078.975] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\jzlaMjeyc.m4a", dwFileAttributes=0x20) returned 1 [0078.976] StrStrW (lpFirst="jzlaMjeyc.m4a", lpSrch=".Clop") returned 0x0 [0078.976] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\jzlaMjeyc.m4a.Clop") returned 48 [0078.976] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\jzlaMjeyc.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\jzlamjeyc.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c8 [0078.976] ReadFile (in: hFile=0x2c8, lpBuffer=0x2687d8, nNumberOfBytesToRead=0x36bc, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x2687d8*, lpNumberOfBytesRead=0x259e1d8*=0x36bc, lpOverlapped=0x0) returned 1 [0078.977] CloseHandle (hObject=0x2c8) returned 1 [0078.977] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0078.977] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0078.977] SetErrorMode (uMode=0x1) returned 0x1 [0078.977] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x22dd38) returned 1 [0078.979] CryptGenKey (in: hProv=0x22dd38, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x243978) returned 1 [0079.125] CryptExportKey (in: hKey=0x243978, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0079.125] CryptExportKey (in: hKey=0x243978, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x620000, pdwDataLen=0x259e1d4 | out: pbData=0x620000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0079.125] CryptDestroyKey (hKey=0x243978) returned 1 [0079.125] CryptReleaseContext (hProv=0x22dd38, dwFlags=0x0) returned 1 [0079.125] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\jzlaMjeyc.m4a.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\jzlamjeyc.m4a.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c8 [0079.125] WriteFile (in: hFile=0x2c8, lpBuffer=0x2687d8*, nNumberOfBytesToWrite=0x36bc, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x2687d8*, lpNumberOfBytesWritten=0x259e1e8*=0x36bc, lpOverlapped=0x0) returned 1 [0079.126] SetFilePointer (in: hFile=0x2c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x36bc [0079.126] WriteFile (in: hFile=0x2c8, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0079.126] SetFilePointer (in: hFile=0x2c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x36c3 [0079.126] SetErrorMode (uMode=0x1) returned 0x1 [0079.126] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0079.126] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0079.126] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0079.126] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x22e7d8) returned 1 [0079.127] CryptImportPublicKeyInfoEx (in: hCryptProv=0x22e7d8, dwCertEncodingType=0x1, pInfo=0x248488, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x243af8) returned 1 [0079.127] CryptEncrypt (in: hKey=0x243af8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0079.127] CryptEncrypt (in: hKey=0x243af8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x22dc28*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x22dc28*, pdwDataLen=0x259d19c*=0x80) returned 1 [0079.127] WriteFile (in: hFile=0x2c8, lpBuffer=0x22dc28*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x22dc28*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0079.127] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0079.127] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.127] VirtualFree (lpAddress=0x620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.127] CloseHandle (hObject=0x2c8) returned 1 [0079.128] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\jzlaMjeyc.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\jzlamjeyc.m4a")) returned 1 Thread: id = 19 os_tid = 0xc90 [0079.135] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0079.135] lstrcpyW (in: lpString1=0x259fa1c, lpString2="kgA8vkn8D.png" | out: lpString1="kgA8vkn8D.png") returned="kgA8vkn8D.png" [0079.135] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0079.135] SetErrorMode (uMode=0x1) returned 0x1 [0079.135] lstrcpyW (in: lpString1=0x259e1ec, lpString2="kgA8vkn8D.png" | out: lpString1="kgA8vkn8D.png") returned="kgA8vkn8D.png" [0079.135] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\kgA8vkn8D.png") returned 43 [0079.135] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\kgA8vkn8D.png", dwFileAttributes=0x20) returned 1 [0079.136] StrStrW (lpFirst="kgA8vkn8D.png", lpSrch=".Clop") returned 0x0 [0079.136] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\kgA8vkn8D.png.Clop") returned 48 [0079.136] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\kgA8vkn8D.png" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\kga8vkn8d.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0079.137] ReadFile (in: hFile=0x2cc, lpBuffer=0x283f60, nNumberOfBytesToRead=0x17da9, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x283f60*, lpNumberOfBytesRead=0x259e1d8*=0x17da9, lpOverlapped=0x0) returned 1 [0079.138] CloseHandle (hObject=0x2cc) returned 1 [0079.138] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0079.138] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0079.138] SetErrorMode (uMode=0x1) returned 0x1 [0079.138] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x22e4a8) returned 1 [0079.141] CryptGenKey (in: hProv=0x22e4a8, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x243978) returned 1 [0079.168] CryptExportKey (in: hKey=0x243978, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0079.168] CryptExportKey (in: hKey=0x243978, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x620000, pdwDataLen=0x259e1d4 | out: pbData=0x620000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0079.168] CryptDestroyKey (hKey=0x243978) returned 1 [0079.169] CryptReleaseContext (hProv=0x22e4a8, dwFlags=0x0) returned 1 [0079.169] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\kgA8vkn8D.png.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\kga8vkn8d.png.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2cc [0079.169] WriteFile (in: hFile=0x2cc, lpBuffer=0x283f60*, nNumberOfBytesToWrite=0x17da9, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x283f60*, lpNumberOfBytesWritten=0x259e1e8*=0x17da9, lpOverlapped=0x0) returned 1 [0079.171] SetFilePointer (in: hFile=0x2cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x17da9 [0079.171] WriteFile (in: hFile=0x2cc, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0079.171] SetFilePointer (in: hFile=0x2cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x17db0 [0079.171] SetErrorMode (uMode=0x1) returned 0x1 [0079.171] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0079.171] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0079.171] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0079.171] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x22e068) returned 1 [0079.171] CryptImportPublicKeyInfoEx (in: hCryptProv=0x22e068, dwCertEncodingType=0x1, pInfo=0x249b48, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x2434f8) returned 1 [0079.171] CryptEncrypt (in: hKey=0x2434f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0079.172] CryptEncrypt (in: hKey=0x2434f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x22dd38*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x22dd38*, pdwDataLen=0x259d19c*=0x80) returned 1 [0079.172] WriteFile (in: hFile=0x2cc, lpBuffer=0x22dd38*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x22dd38*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0079.172] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0079.173] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.173] VirtualFree (lpAddress=0x620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.173] CloseHandle (hObject=0x2cc) returned 1 [0079.175] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\kgA8vkn8D.png" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\kga8vkn8d.png")) returned 1 Thread: id = 20 os_tid = 0xca4 [0079.179] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0079.179] lstrcpyW (in: lpString1=0x259fa1c, lpString2="KZdjrOBP38df.wav" | out: lpString1="KZdjrOBP38df.wav") returned="KZdjrOBP38df.wav" [0079.179] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0079.179] SetErrorMode (uMode=0x1) returned 0x1 [0079.179] lstrcpyW (in: lpString1=0x259e1ec, lpString2="KZdjrOBP38df.wav" | out: lpString1="KZdjrOBP38df.wav") returned="KZdjrOBP38df.wav" [0079.179] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\KZdjrOBP38df.wav") returned 46 [0079.179] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\KZdjrOBP38df.wav", dwFileAttributes=0x20) returned 1 [0079.180] StrStrW (lpFirst="KZdjrOBP38df.wav", lpSrch=".Clop") returned 0x0 [0079.180] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\KZdjrOBP38df.wav.Clop") returned 51 [0079.180] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\KZdjrOBP38df.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\kzdjrobp38df.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2d0 [0079.180] ReadFile (in: hFile=0x2d0, lpBuffer=0x256fa8, nNumberOfBytesToRead=0x9f59, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x256fa8*, lpNumberOfBytesRead=0x259e1d8*=0x9f59, lpOverlapped=0x0) returned 1 [0079.181] CloseHandle (hObject=0x2d0) returned 1 [0079.181] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0079.181] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0079.181] SetErrorMode (uMode=0x1) returned 0x1 [0079.181] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x22e398) returned 1 [0079.184] CryptGenKey (in: hProv=0x22e398, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x243978) returned 1 [0079.625] CryptExportKey (in: hKey=0x243978, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0079.625] CryptExportKey (in: hKey=0x243978, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x620000, pdwDataLen=0x259e1d4 | out: pbData=0x620000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0079.625] CryptDestroyKey (hKey=0x243978) returned 1 [0079.625] CryptReleaseContext (hProv=0x22e398, dwFlags=0x0) returned 1 [0079.625] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\KZdjrOBP38df.wav.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\kzdjrobp38df.wav.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2d0 [0079.625] WriteFile (in: hFile=0x2d0, lpBuffer=0x256fa8*, nNumberOfBytesToWrite=0x9f59, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x256fa8*, lpNumberOfBytesWritten=0x259e1e8*=0x9f59, lpOverlapped=0x0) returned 1 [0079.626] SetFilePointer (in: hFile=0x2d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x9f59 [0079.626] WriteFile (in: hFile=0x2d0, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0079.626] SetFilePointer (in: hFile=0x2d0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x9f60 [0079.626] SetErrorMode (uMode=0x1) returned 0x1 [0079.627] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0079.627] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0079.627] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0079.627] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x22ddc0) returned 1 [0079.627] CryptImportPublicKeyInfoEx (in: hCryptProv=0x22ddc0, dwCertEncodingType=0x1, pInfo=0x248e48, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x243478) returned 1 [0079.627] CryptEncrypt (in: hKey=0x243478, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0079.627] CryptEncrypt (in: hKey=0x243478, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x22de48*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x22de48*, pdwDataLen=0x259d19c*=0x80) returned 1 [0079.627] WriteFile (in: hFile=0x2d0, lpBuffer=0x22de48*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x22de48*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0079.627] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0079.628] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.628] VirtualFree (lpAddress=0x620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.628] CloseHandle (hObject=0x2d0) returned 1 [0079.629] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\KZdjrOBP38df.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\kzdjrobp38df.wav")) returned 1 Thread: id = 21 os_tid = 0xc8c [0079.745] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0079.746] lstrcpyW (in: lpString1=0x259fa1c, lpString2="LIpP.mp3" | out: lpString1="LIpP.mp3") returned="LIpP.mp3" [0079.746] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0079.746] SetErrorMode (uMode=0x1) returned 0x1 [0079.746] lstrcpyW (in: lpString1=0x259e1ec, lpString2="LIpP.mp3" | out: lpString1="LIpP.mp3") returned="LIpP.mp3" [0079.746] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\LIpP.mp3") returned 38 [0079.746] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\LIpP.mp3", dwFileAttributes=0x20) returned 1 [0079.746] StrStrW (lpFirst="LIpP.mp3", lpSrch=".Clop") returned 0x0 [0079.746] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\LIpP.mp3.Clop") returned 43 [0079.746] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\LIpP.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lipp.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2d4 [0079.747] ReadFile (in: hFile=0x2d4, lpBuffer=0x24a390, nNumberOfBytesToRead=0x2e14, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x24a390*, lpNumberOfBytesRead=0x259e1d8*=0x2e14, lpOverlapped=0x0) returned 1 [0079.747] CloseHandle (hObject=0x2d4) returned 1 [0079.747] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0079.748] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0079.748] SetErrorMode (uMode=0x1) returned 0x1 [0079.748] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x22e178) returned 1 [0079.750] CryptGenKey (in: hProv=0x22e178, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x243978) returned 1 [0079.859] CryptExportKey (in: hKey=0x243978, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0079.859] CryptExportKey (in: hKey=0x243978, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x620000, pdwDataLen=0x259e1d4 | out: pbData=0x620000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0079.859] CryptDestroyKey (hKey=0x243978) returned 1 [0079.859] CryptReleaseContext (hProv=0x22e178, dwFlags=0x0) returned 1 [0079.859] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\LIpP.mp3.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lipp.mp3.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2d4 [0079.859] WriteFile (in: hFile=0x2d4, lpBuffer=0x24a390*, nNumberOfBytesToWrite=0x2e14, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x24a390*, lpNumberOfBytesWritten=0x259e1e8*=0x2e14, lpOverlapped=0x0) returned 1 [0079.860] SetFilePointer (in: hFile=0x2d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x2e14 [0079.860] WriteFile (in: hFile=0x2d4, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0079.860] SetFilePointer (in: hFile=0x2d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x2e1b [0079.860] SetErrorMode (uMode=0x1) returned 0x1 [0079.860] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0079.860] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0079.860] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0079.860] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x22e178) returned 1 [0079.860] CryptImportPublicKeyInfoEx (in: hCryptProv=0x22e178, dwCertEncodingType=0x1, pInfo=0x248f18, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x243438) returned 1 [0079.861] CryptEncrypt (in: hKey=0x243438, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0079.861] CryptEncrypt (in: hKey=0x243438, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x22e200*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x22e200*, pdwDataLen=0x259d19c*=0x80) returned 1 [0079.861] WriteFile (in: hFile=0x2d4, lpBuffer=0x22e200*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x22e200*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0079.861] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0079.861] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.861] VirtualFree (lpAddress=0x620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.861] CloseHandle (hObject=0x2d4) returned 1 [0079.862] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\LIpP.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lipp.mp3")) returned 1 Thread: id = 22 os_tid = 0x36c [0079.873] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0079.873] lstrcpyW (in: lpString1=0x259fa1c, lpString2="m9Pz1Hmu.jpg" | out: lpString1="m9Pz1Hmu.jpg") returned="m9Pz1Hmu.jpg" [0079.873] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0079.873] SetErrorMode (uMode=0x1) returned 0x1 [0079.873] lstrcpyW (in: lpString1=0x259e1ec, lpString2="m9Pz1Hmu.jpg" | out: lpString1="m9Pz1Hmu.jpg") returned="m9Pz1Hmu.jpg" [0079.873] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\m9Pz1Hmu.jpg") returned 42 [0079.873] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\m9Pz1Hmu.jpg", dwFileAttributes=0x20) returned 1 [0079.874] StrStrW (lpFirst="m9Pz1Hmu.jpg", lpSrch=".Clop") returned 0x0 [0079.874] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\m9Pz1Hmu.jpg.Clop") returned 47 [0079.874] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\m9Pz1Hmu.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\m9pz1hmu.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2d8 [0079.874] ReadFile (in: hFile=0x2d8, lpBuffer=0x256fa8, nNumberOfBytesToRead=0xb228, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x256fa8*, lpNumberOfBytesRead=0x259e1d8*=0xb228, lpOverlapped=0x0) returned 1 [0079.875] CloseHandle (hObject=0x2d8) returned 1 [0079.875] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0079.875] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0079.875] SetErrorMode (uMode=0x1) returned 0x1 [0079.875] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x22e288) returned 1 [0079.877] CryptGenKey (in: hProv=0x22e288, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x243978) returned 1 [0079.904] CryptExportKey (in: hKey=0x243978, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0079.904] CryptExportKey (in: hKey=0x243978, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x620000, pdwDataLen=0x259e1d4 | out: pbData=0x620000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0079.904] CryptDestroyKey (hKey=0x243978) returned 1 [0079.904] CryptReleaseContext (hProv=0x22e288, dwFlags=0x0) returned 1 [0079.904] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\m9Pz1Hmu.jpg.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\m9pz1hmu.jpg.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2d8 [0079.905] WriteFile (in: hFile=0x2d8, lpBuffer=0x256fa8*, nNumberOfBytesToWrite=0xb228, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x256fa8*, lpNumberOfBytesWritten=0x259e1e8*=0xb228, lpOverlapped=0x0) returned 1 [0079.906] SetFilePointer (in: hFile=0x2d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xb228 [0079.906] WriteFile (in: hFile=0x2d8, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0079.906] SetFilePointer (in: hFile=0x2d8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xb22f [0079.906] SetErrorMode (uMode=0x1) returned 0x1 [0079.906] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0079.906] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0079.906] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0079.906] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x22e288) returned 1 [0079.906] CryptImportPublicKeyInfoEx (in: hCryptProv=0x22e288, dwCertEncodingType=0x1, pInfo=0x2494c8, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x242ef8) returned 1 [0079.906] CryptEncrypt (in: hKey=0x242ef8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0079.906] CryptEncrypt (in: hKey=0x242ef8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x22e398*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x22e398*, pdwDataLen=0x259d19c*=0x80) returned 1 [0079.907] WriteFile (in: hFile=0x2d8, lpBuffer=0x22e398*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x22e398*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0079.907] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0079.907] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.907] VirtualFree (lpAddress=0x620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.907] CloseHandle (hObject=0x2d8) returned 1 [0079.909] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\m9Pz1Hmu.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\m9pz1hmu.jpg")) returned 1 Thread: id = 23 os_tid = 0x7a0 [0080.032] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0080.032] lstrcpyW (in: lpString1=0x259fa1c, lpString2="NyBrpQ_xx-AQ74dNO8U.mp4" | out: lpString1="NyBrpQ_xx-AQ74dNO8U.mp4") returned="NyBrpQ_xx-AQ74dNO8U.mp4" [0080.032] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0080.032] SetErrorMode (uMode=0x1) returned 0x1 [0080.032] lstrcpyW (in: lpString1=0x259e1ec, lpString2="NyBrpQ_xx-AQ74dNO8U.mp4" | out: lpString1="NyBrpQ_xx-AQ74dNO8U.mp4") returned="NyBrpQ_xx-AQ74dNO8U.mp4" [0080.032] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NyBrpQ_xx-AQ74dNO8U.mp4") returned 53 [0080.032] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NyBrpQ_xx-AQ74dNO8U.mp4", dwFileAttributes=0x20) returned 1 [0080.033] StrStrW (lpFirst="NyBrpQ_xx-AQ74dNO8U.mp4", lpSrch=".Clop") returned 0x0 [0080.033] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NyBrpQ_xx-AQ74dNO8U.mp4.Clop") returned 58 [0080.033] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NyBrpQ_xx-AQ74dNO8U.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\nybrpq_xx-aq74dno8u.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2dc [0080.033] ReadFile (in: hFile=0x2dc, lpBuffer=0x256fa8, nNumberOfBytesToRead=0x5361, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x256fa8*, lpNumberOfBytesRead=0x259e1d8*=0x5361, lpOverlapped=0x0) returned 1 [0080.034] CloseHandle (hObject=0x2dc) returned 1 [0080.034] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0080.034] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0080.034] SetErrorMode (uMode=0x1) returned 0x1 [0080.034] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x22e4a8) returned 1 [0080.036] CryptGenKey (in: hProv=0x22e4a8, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x243038) returned 1 [0080.072] CryptExportKey (in: hKey=0x243038, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0080.072] CryptExportKey (in: hKey=0x243038, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x620000, pdwDataLen=0x259e1d4 | out: pbData=0x620000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0080.072] CryptDestroyKey (hKey=0x243038) returned 1 [0080.072] CryptReleaseContext (hProv=0x22e4a8, dwFlags=0x0) returned 1 [0080.073] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NyBrpQ_xx-AQ74dNO8U.mp4.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\nybrpq_xx-aq74dno8u.mp4.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2dc [0080.073] WriteFile (in: hFile=0x2dc, lpBuffer=0x256fa8*, nNumberOfBytesToWrite=0x5361, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x256fa8*, lpNumberOfBytesWritten=0x259e1e8*=0x5361, lpOverlapped=0x0) returned 1 [0080.074] SetFilePointer (in: hFile=0x2dc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x5361 [0080.074] WriteFile (in: hFile=0x2dc, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0080.074] SetFilePointer (in: hFile=0x2dc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x5368 [0080.074] SetErrorMode (uMode=0x1) returned 0x1 [0080.074] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0080.074] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0080.074] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0080.074] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x22e750) returned 1 [0080.074] CryptImportPublicKeyInfoEx (in: hCryptProv=0x22e750, dwCertEncodingType=0x1, pInfo=0x249598, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x242e78) returned 1 [0080.075] CryptEncrypt (in: hKey=0x242e78, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0080.075] CryptEncrypt (in: hKey=0x242e78, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x22e4a8*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x22e4a8*, pdwDataLen=0x259d19c*=0x80) returned 1 [0080.075] WriteFile (in: hFile=0x2dc, lpBuffer=0x22e4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x22e4a8*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0080.075] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0080.075] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.075] VirtualFree (lpAddress=0x620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.076] CloseHandle (hObject=0x2dc) returned 1 [0080.076] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\NyBrpQ_xx-AQ74dNO8U.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\nybrpq_xx-aq74dno8u.mp4")) returned 1 Thread: id = 24 os_tid = 0x68c [0080.110] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0080.110] lstrcpyW (in: lpString1=0x259fa1c, lpString2="Q4seUw4PucaI98v.bmp" | out: lpString1="Q4seUw4PucaI98v.bmp") returned="Q4seUw4PucaI98v.bmp" [0080.110] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0080.110] SetErrorMode (uMode=0x1) returned 0x1 [0080.110] lstrcpyW (in: lpString1=0x259e1ec, lpString2="Q4seUw4PucaI98v.bmp" | out: lpString1="Q4seUw4PucaI98v.bmp") returned="Q4seUw4PucaI98v.bmp" [0080.110] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Q4seUw4PucaI98v.bmp") returned 49 [0080.110] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Q4seUw4PucaI98v.bmp", dwFileAttributes=0x20) returned 1 [0080.110] StrStrW (lpFirst="Q4seUw4PucaI98v.bmp", lpSrch=".Clop") returned 0x0 [0080.110] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Q4seUw4PucaI98v.bmp.Clop") returned 54 [0080.110] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Q4seUw4PucaI98v.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\q4seuw4pucai98v.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2e0 [0080.111] ReadFile (in: hFile=0x2e0, lpBuffer=0x256fa8, nNumberOfBytesToRead=0x8256, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x256fa8*, lpNumberOfBytesRead=0x259e1d8*=0x8256, lpOverlapped=0x0) returned 1 [0080.111] CloseHandle (hObject=0x2e0) returned 1 [0080.111] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0080.112] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0080.112] SetErrorMode (uMode=0x1) returned 0x1 [0080.112] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x22e530) returned 1 [0080.114] CryptGenKey (in: hProv=0x22e530, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x242eb8) returned 1 [0080.186] CryptExportKey (in: hKey=0x242eb8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0080.186] CryptExportKey (in: hKey=0x242eb8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x620000, pdwDataLen=0x259e1d4 | out: pbData=0x620000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0080.186] CryptDestroyKey (hKey=0x242eb8) returned 1 [0080.186] CryptReleaseContext (hProv=0x22e530, dwFlags=0x0) returned 1 [0080.186] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Q4seUw4PucaI98v.bmp.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\q4seuw4pucai98v.bmp.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2e0 [0080.186] WriteFile (in: hFile=0x2e0, lpBuffer=0x256fa8*, nNumberOfBytesToWrite=0x8256, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x256fa8*, lpNumberOfBytesWritten=0x259e1e8*=0x8256, lpOverlapped=0x0) returned 1 [0080.187] SetFilePointer (in: hFile=0x2e0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x8256 [0080.187] WriteFile (in: hFile=0x2e0, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0080.187] SetFilePointer (in: hFile=0x2e0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x825d [0080.187] SetErrorMode (uMode=0x1) returned 0x1 [0080.187] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0080.187] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0080.188] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0080.188] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x22e530) returned 1 [0080.188] CryptImportPublicKeyInfoEx (in: hCryptProv=0x22e530, dwCertEncodingType=0x1, pInfo=0x248558, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x2431f8) returned 1 [0080.188] CryptEncrypt (in: hKey=0x2431f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0080.188] CryptEncrypt (in: hKey=0x2431f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x24b2b0*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x24b2b0*, pdwDataLen=0x259d19c*=0x80) returned 1 [0080.188] WriteFile (in: hFile=0x2e0, lpBuffer=0x24b2b0*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x24b2b0*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0080.188] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0080.189] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.189] VirtualFree (lpAddress=0x620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.189] CloseHandle (hObject=0x2e0) returned 1 [0080.190] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Q4seUw4PucaI98v.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\q4seuw4pucai98v.bmp")) returned 1 Thread: id = 25 os_tid = 0x150 [0080.337] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0080.337] lstrcpyW (in: lpString1=0x259fa1c, lpString2="sQOzkBJ4zBYE1.ots" | out: lpString1="sQOzkBJ4zBYE1.ots") returned="sQOzkBJ4zBYE1.ots" [0080.337] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0080.337] SetErrorMode (uMode=0x1) returned 0x1 [0080.338] lstrcpyW (in: lpString1=0x259e1ec, lpString2="sQOzkBJ4zBYE1.ots" | out: lpString1="sQOzkBJ4zBYE1.ots") returned="sQOzkBJ4zBYE1.ots" [0080.338] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\sQOzkBJ4zBYE1.ots") returned 47 [0080.338] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\sQOzkBJ4zBYE1.ots", dwFileAttributes=0x20) returned 1 [0080.338] StrStrW (lpFirst="sQOzkBJ4zBYE1.ots", lpSrch=".Clop") returned 0x0 [0080.338] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\sQOzkBJ4zBYE1.ots.Clop") returned 52 [0080.338] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\sQOzkBJ4zBYE1.ots" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\sqozkbj4zbye1.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2e4 [0080.339] ReadFile (in: hFile=0x2e4, lpBuffer=0x256fa8, nNumberOfBytesToRead=0x9e5f, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x256fa8*, lpNumberOfBytesRead=0x259e1d8*=0x9e5f, lpOverlapped=0x0) returned 1 [0080.341] CloseHandle (hObject=0x2e4) returned 1 [0080.341] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0080.341] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0080.341] SetErrorMode (uMode=0x1) returned 0x1 [0080.341] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x24b558) returned 1 [0080.343] CryptGenKey (in: hProv=0x24b558, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x243038) returned 1 [0080.414] CryptExportKey (in: hKey=0x243038, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0080.414] CryptExportKey (in: hKey=0x243038, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x620000, pdwDataLen=0x259e1d4 | out: pbData=0x620000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0080.414] CryptDestroyKey (hKey=0x243038) returned 1 [0080.414] CryptReleaseContext (hProv=0x24b558, dwFlags=0x0) returned 1 [0080.414] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\sQOzkBJ4zBYE1.ots.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\sqozkbj4zbye1.ots.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2e4 [0080.415] WriteFile (in: hFile=0x2e4, lpBuffer=0x256fa8*, nNumberOfBytesToWrite=0x9e5f, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x256fa8*, lpNumberOfBytesWritten=0x259e1e8*=0x9e5f, lpOverlapped=0x0) returned 1 [0080.416] SetFilePointer (in: hFile=0x2e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x9e5f [0080.416] WriteFile (in: hFile=0x2e4, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0080.416] SetFilePointer (in: hFile=0x2e4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x9e66 [0080.416] SetErrorMode (uMode=0x1) returned 0x1 [0080.416] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0080.416] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0080.416] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0080.416] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x24bb30) returned 1 [0080.416] CryptImportPublicKeyInfoEx (in: hCryptProv=0x24bb30, dwCertEncodingType=0x1, pInfo=0x248b08, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x242c38) returned 1 [0080.416] CryptEncrypt (in: hKey=0x242c38, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0080.416] CryptEncrypt (in: hKey=0x242c38, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x24b778*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x24b778*, pdwDataLen=0x259d19c*=0x80) returned 1 [0080.416] WriteFile (in: hFile=0x2e4, lpBuffer=0x24b778*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x24b778*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0080.417] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0080.417] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.417] VirtualFree (lpAddress=0x620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.420] CloseHandle (hObject=0x2e4) returned 1 [0080.421] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\sQOzkBJ4zBYE1.ots" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\sqozkbj4zbye1.ots")) returned 1 Thread: id = 26 os_tid = 0x340 [0080.456] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0080.456] lstrcpyW (in: lpString1=0x259fa1c, lpString2="ubOb0lDCzgG80Xvp.gif" | out: lpString1="ubOb0lDCzgG80Xvp.gif") returned="ubOb0lDCzgG80Xvp.gif" [0080.456] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0080.456] SetErrorMode (uMode=0x1) returned 0x1 [0080.456] lstrcpyW (in: lpString1=0x259e1ec, lpString2="ubOb0lDCzgG80Xvp.gif" | out: lpString1="ubOb0lDCzgG80Xvp.gif") returned="ubOb0lDCzgG80Xvp.gif" [0080.456] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ubOb0lDCzgG80Xvp.gif") returned 50 [0080.456] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ubOb0lDCzgG80Xvp.gif", dwFileAttributes=0x20) returned 1 [0080.456] StrStrW (lpFirst="ubOb0lDCzgG80Xvp.gif", lpSrch=".Clop") returned 0x0 [0080.457] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ubOb0lDCzgG80Xvp.gif.Clop") returned 55 [0080.457] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ubOb0lDCzgG80Xvp.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\ubob0ldczgg80xvp.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2e8 [0080.457] ReadFile (in: hFile=0x2e8, lpBuffer=0x256fa8, nNumberOfBytesToRead=0x472e, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x256fa8*, lpNumberOfBytesRead=0x259e1d8*=0x472e, lpOverlapped=0x0) returned 1 [0080.458] CloseHandle (hObject=0x2e8) returned 1 [0080.458] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0080.458] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0080.458] SetErrorMode (uMode=0x1) returned 0x1 [0080.458] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x24b448) returned 1 [0080.460] CryptGenKey (in: hProv=0x24b448, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x2432f8) returned 1 [0080.483] CryptExportKey (in: hKey=0x2432f8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0080.483] CryptExportKey (in: hKey=0x2432f8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x620000, pdwDataLen=0x259e1d4 | out: pbData=0x620000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0080.483] CryptDestroyKey (hKey=0x2432f8) returned 1 [0080.483] CryptReleaseContext (hProv=0x24b448, dwFlags=0x0) returned 1 [0080.483] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ubOb0lDCzgG80Xvp.gif.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\ubob0ldczgg80xvp.gif.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2e8 [0080.483] WriteFile (in: hFile=0x2e8, lpBuffer=0x256fa8*, nNumberOfBytesToWrite=0x472e, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x256fa8*, lpNumberOfBytesWritten=0x259e1e8*=0x472e, lpOverlapped=0x0) returned 1 [0080.484] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x472e [0080.484] WriteFile (in: hFile=0x2e8, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0080.484] SetFilePointer (in: hFile=0x2e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x4735 [0080.484] SetErrorMode (uMode=0x1) returned 0x1 [0080.484] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0080.484] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0080.484] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0080.484] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x24b338) returned 1 [0080.485] CryptImportPublicKeyInfoEx (in: hCryptProv=0x24b338, dwCertEncodingType=0x1, pInfo=0x248628, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x242f38) returned 1 [0080.485] CryptEncrypt (in: hKey=0x242f38, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0080.485] CryptEncrypt (in: hKey=0x242f38, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x24ad60*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x24ad60*, pdwDataLen=0x259d19c*=0x80) returned 1 [0080.485] WriteFile (in: hFile=0x2e8, lpBuffer=0x24ad60*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x24ad60*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0080.485] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0080.486] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.486] VirtualFree (lpAddress=0x620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.486] CloseHandle (hObject=0x2e8) returned 1 [0080.487] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ubOb0lDCzgG80Xvp.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\ubob0ldczgg80xvp.gif")) returned 1 Thread: id = 27 os_tid = 0x270 [0080.539] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0080.539] lstrcpyW (in: lpString1=0x259fa1c, lpString2="UErVBDjTS99ZAVVf.mp4" | out: lpString1="UErVBDjTS99ZAVVf.mp4") returned="UErVBDjTS99ZAVVf.mp4" [0080.539] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0080.539] SetErrorMode (uMode=0x1) returned 0x1 [0080.539] lstrcpyW (in: lpString1=0x259e1ec, lpString2="UErVBDjTS99ZAVVf.mp4" | out: lpString1="UErVBDjTS99ZAVVf.mp4") returned="UErVBDjTS99ZAVVf.mp4" [0080.539] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\UErVBDjTS99ZAVVf.mp4") returned 50 [0080.539] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\UErVBDjTS99ZAVVf.mp4", dwFileAttributes=0x20) returned 1 [0080.539] StrStrW (lpFirst="UErVBDjTS99ZAVVf.mp4", lpSrch=".Clop") returned 0x0 [0080.539] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\UErVBDjTS99ZAVVf.mp4.Clop") returned 55 [0080.539] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\UErVBDjTS99ZAVVf.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\uervbdjts99zavvf.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ec [0080.540] ReadFile (in: hFile=0x2ec, lpBuffer=0x283f60, nNumberOfBytesToRead=0x1778e, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x283f60*, lpNumberOfBytesRead=0x259e1d8*=0x1778e, lpOverlapped=0x0) returned 1 [0080.541] CloseHandle (hObject=0x2ec) returned 1 [0080.541] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0080.541] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0080.541] SetErrorMode (uMode=0x1) returned 0x1 [0080.541] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x24ade8) returned 1 [0080.545] CryptGenKey (in: hProv=0x24ade8, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x243178) returned 1 [0080.590] CryptExportKey (in: hKey=0x243178, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0080.590] CryptExportKey (in: hKey=0x243178, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x620000, pdwDataLen=0x259e1d4 | out: pbData=0x620000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0080.590] CryptDestroyKey (hKey=0x243178) returned 1 [0080.590] CryptReleaseContext (hProv=0x24ade8, dwFlags=0x0) returned 1 [0080.591] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\UErVBDjTS99ZAVVf.mp4.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\uervbdjts99zavvf.mp4.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ec [0080.591] WriteFile (in: hFile=0x2ec, lpBuffer=0x283f60*, nNumberOfBytesToWrite=0x1778e, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x283f60*, lpNumberOfBytesWritten=0x259e1e8*=0x1778e, lpOverlapped=0x0) returned 1 [0080.592] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x1778e [0080.592] WriteFile (in: hFile=0x2ec, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0080.592] SetFilePointer (in: hFile=0x2ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x17795 [0080.593] SetErrorMode (uMode=0x1) returned 0x1 [0080.593] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0080.593] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0080.593] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0080.593] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x24b5e0) returned 1 [0080.593] CryptImportPublicKeyInfoEx (in: hCryptProv=0x24b5e0, dwCertEncodingType=0x1, pInfo=0x249668, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x242fb8) returned 1 [0080.593] CryptEncrypt (in: hKey=0x242fb8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0080.593] CryptEncrypt (in: hKey=0x242fb8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x24ac50*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x24ac50*, pdwDataLen=0x259d19c*=0x80) returned 1 [0080.593] WriteFile (in: hFile=0x2ec, lpBuffer=0x24ac50*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x24ac50*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0080.593] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0080.594] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.594] VirtualFree (lpAddress=0x620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.594] CloseHandle (hObject=0x2ec) returned 1 [0080.596] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\UErVBDjTS99ZAVVf.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\uervbdjts99zavvf.mp4")) returned 1 Thread: id = 28 os_tid = 0xc28 [0080.642] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0080.642] lstrcpyW (in: lpString1=0x259fa1c, lpString2="v-4HDop8QcfjvXfepmKD.mp3" | out: lpString1="v-4HDop8QcfjvXfepmKD.mp3") returned="v-4HDop8QcfjvXfepmKD.mp3" [0080.642] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0080.642] SetErrorMode (uMode=0x1) returned 0x1 [0080.642] lstrcpyW (in: lpString1=0x259e1ec, lpString2="v-4HDop8QcfjvXfepmKD.mp3" | out: lpString1="v-4HDop8QcfjvXfepmKD.mp3") returned="v-4HDop8QcfjvXfepmKD.mp3" [0080.642] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\v-4HDop8QcfjvXfepmKD.mp3") returned 54 [0080.642] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\v-4HDop8QcfjvXfepmKD.mp3", dwFileAttributes=0x20) returned 1 [0080.643] StrStrW (lpFirst="v-4HDop8QcfjvXfepmKD.mp3", lpSrch=".Clop") returned 0x0 [0080.643] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\v-4HDop8QcfjvXfepmKD.mp3.Clop") returned 59 [0080.643] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\v-4HDop8QcfjvXfepmKD.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\v-4hdop8qcfjvxfepmkd.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2f0 [0080.643] ReadFile (in: hFile=0x2f0, lpBuffer=0x26dfe8, nNumberOfBytesToRead=0x4ba3, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x26dfe8*, lpNumberOfBytesRead=0x259e1d8*=0x4ba3, lpOverlapped=0x0) returned 1 [0080.644] CloseHandle (hObject=0x2f0) returned 1 [0080.644] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0080.644] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0080.644] SetErrorMode (uMode=0x1) returned 0x1 [0080.644] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x24af80) returned 1 [0080.646] CryptGenKey (in: hProv=0x24af80, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x243178) returned 1 [0080.744] CryptExportKey (in: hKey=0x243178, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0080.744] CryptExportKey (in: hKey=0x243178, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x620000, pdwDataLen=0x259e1d4 | out: pbData=0x620000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0080.744] CryptDestroyKey (hKey=0x243178) returned 1 [0080.744] CryptReleaseContext (hProv=0x24af80, dwFlags=0x0) returned 1 [0080.744] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\v-4HDop8QcfjvXfepmKD.mp3.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\v-4hdop8qcfjvxfepmkd.mp3.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2f0 [0080.744] WriteFile (in: hFile=0x2f0, lpBuffer=0x26dfe8*, nNumberOfBytesToWrite=0x4ba3, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x26dfe8*, lpNumberOfBytesWritten=0x259e1e8*=0x4ba3, lpOverlapped=0x0) returned 1 [0080.745] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x4ba3 [0080.745] WriteFile (in: hFile=0x2f0, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0080.747] SetFilePointer (in: hFile=0x2f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x4baa [0080.747] SetErrorMode (uMode=0x1) returned 0x1 [0080.747] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0080.747] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0080.747] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0080.747] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x24bbb8) returned 1 [0080.748] CryptImportPublicKeyInfoEx (in: hCryptProv=0x24bbb8, dwCertEncodingType=0x1, pInfo=0x249328, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x242cf8) returned 1 [0080.748] CryptEncrypt (in: hKey=0x242cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0080.748] CryptEncrypt (in: hKey=0x242cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x24b998*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x24b998*, pdwDataLen=0x259d19c*=0x80) returned 1 [0080.748] WriteFile (in: hFile=0x2f0, lpBuffer=0x24b998*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x24b998*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0080.748] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0080.748] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.748] VirtualFree (lpAddress=0x620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.748] CloseHandle (hObject=0x2f0) returned 1 [0080.749] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\v-4HDop8QcfjvXfepmKD.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\v-4hdop8qcfjvxfepmkd.mp3")) returned 1 Thread: id = 29 os_tid = 0xd0 [0080.794] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0080.794] lstrcpyW (in: lpString1=0x259fa1c, lpString2="vJHGxh-.png" | out: lpString1="vJHGxh-.png") returned="vJHGxh-.png" [0080.794] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0080.794] SetErrorMode (uMode=0x1) returned 0x1 [0080.794] lstrcpyW (in: lpString1=0x259e1ec, lpString2="vJHGxh-.png" | out: lpString1="vJHGxh-.png") returned="vJHGxh-.png" [0080.794] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\vJHGxh-.png") returned 41 [0080.794] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\vJHGxh-.png", dwFileAttributes=0x20) returned 1 [0080.795] StrStrW (lpFirst="vJHGxh-.png", lpSrch=".Clop") returned 0x0 [0080.795] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\vJHGxh-.png.Clop") returned 46 [0080.795] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\vJHGxh-.png" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\vjhgxh-.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2f4 [0080.795] ReadFile (in: hFile=0x2f4, lpBuffer=0x26dfe8, nNumberOfBytesToRead=0x8464, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x26dfe8*, lpNumberOfBytesRead=0x259e1d8*=0x8464, lpOverlapped=0x0) returned 1 [0080.796] CloseHandle (hObject=0x2f4) returned 1 [0080.796] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0080.796] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0080.796] SetErrorMode (uMode=0x1) returned 0x1 [0080.796] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x24b118) returned 1 [0080.798] CryptGenKey (in: hProv=0x24b118, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x242f78) returned 1 [0080.865] CryptExportKey (in: hKey=0x242f78, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0080.865] CryptExportKey (in: hKey=0x242f78, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x620000, pdwDataLen=0x259e1d4 | out: pbData=0x620000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0080.865] CryptDestroyKey (hKey=0x242f78) returned 1 [0080.865] CryptReleaseContext (hProv=0x24b118, dwFlags=0x0) returned 1 [0080.866] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\vJHGxh-.png.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\vjhgxh-.png.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2f4 [0080.866] WriteFile (in: hFile=0x2f4, lpBuffer=0x26dfe8*, nNumberOfBytesToWrite=0x8464, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x26dfe8*, lpNumberOfBytesWritten=0x259e1e8*=0x8464, lpOverlapped=0x0) returned 1 [0080.867] SetFilePointer (in: hFile=0x2f4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x8464 [0080.867] WriteFile (in: hFile=0x2f4, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0080.867] SetFilePointer (in: hFile=0x2f4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x846b [0080.867] SetErrorMode (uMode=0x1) returned 0x1 [0080.867] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0080.867] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0080.867] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0080.867] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x24b090) returned 1 [0080.867] CryptImportPublicKeyInfoEx (in: hCryptProv=0x24b090, dwCertEncodingType=0x1, pInfo=0x248bd8, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x242df8) returned 1 [0080.867] CryptEncrypt (in: hKey=0x242df8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0080.867] CryptEncrypt (in: hKey=0x242df8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x24b118*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x24b118*, pdwDataLen=0x259d19c*=0x80) returned 1 [0080.868] WriteFile (in: hFile=0x2f4, lpBuffer=0x24b118*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x24b118*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0080.868] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0080.868] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.868] VirtualFree (lpAddress=0x620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.869] CloseHandle (hObject=0x2f4) returned 1 [0080.870] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\vJHGxh-.png" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\vjhgxh-.png")) returned 1 Thread: id = 30 os_tid = 0xa44 [0080.896] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0080.896] lstrcpyW (in: lpString1=0x259fa1c, lpString2="VUe3zwqA.bmp" | out: lpString1="VUe3zwqA.bmp") returned="VUe3zwqA.bmp" [0080.896] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0080.896] SetErrorMode (uMode=0x1) returned 0x1 [0080.896] lstrcpyW (in: lpString1=0x259e1ec, lpString2="VUe3zwqA.bmp" | out: lpString1="VUe3zwqA.bmp") returned="VUe3zwqA.bmp" [0080.896] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VUe3zwqA.bmp") returned 42 [0080.896] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VUe3zwqA.bmp", dwFileAttributes=0x20) returned 1 [0080.896] StrStrW (lpFirst="VUe3zwqA.bmp", lpSrch=".Clop") returned 0x0 [0080.896] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VUe3zwqA.bmp.Clop") returned 47 [0080.896] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VUe3zwqA.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\vue3zwqa.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2f8 [0080.897] ReadFile (in: hFile=0x2f8, lpBuffer=0x2666f8, nNumberOfBytesToRead=0x1a9f, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x2666f8*, lpNumberOfBytesRead=0x259e1d8*=0x1a9f, lpOverlapped=0x0) returned 1 [0080.897] CloseHandle (hObject=0x2f8) returned 1 [0080.897] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0080.898] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0080.898] SetErrorMode (uMode=0x1) returned 0x1 [0080.898] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x24bc40) returned 1 [0080.900] CryptGenKey (in: hProv=0x24bc40, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x242db8) returned 1 [0080.959] CryptExportKey (in: hKey=0x242db8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0080.959] CryptExportKey (in: hKey=0x242db8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x620000, pdwDataLen=0x259e1d4 | out: pbData=0x620000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0080.959] CryptDestroyKey (hKey=0x242db8) returned 1 [0080.959] CryptReleaseContext (hProv=0x24bc40, dwFlags=0x0) returned 1 [0080.960] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VUe3zwqA.bmp.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\vue3zwqa.bmp.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2f8 [0080.960] WriteFile (in: hFile=0x2f8, lpBuffer=0x2666f8*, nNumberOfBytesToWrite=0x1a9f, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x2666f8*, lpNumberOfBytesWritten=0x259e1e8*=0x1a9f, lpOverlapped=0x0) returned 1 [0080.961] SetFilePointer (in: hFile=0x2f8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x1a9f [0080.961] WriteFile (in: hFile=0x2f8, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0080.961] SetFilePointer (in: hFile=0x2f8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x1aa6 [0080.961] SetErrorMode (uMode=0x1) returned 0x1 [0080.961] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0080.961] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0080.961] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0080.961] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x24b008) returned 1 [0080.961] CryptImportPublicKeyInfoEx (in: hCryptProv=0x24b008, dwCertEncodingType=0x1, pInfo=0x249738, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x242db8) returned 1 [0080.961] CryptEncrypt (in: hKey=0x242db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0080.961] CryptEncrypt (in: hKey=0x242db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x24af80*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x24af80*, pdwDataLen=0x259d19c*=0x80) returned 1 [0080.961] WriteFile (in: hFile=0x2f8, lpBuffer=0x24af80*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x24af80*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0080.961] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0080.961] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.962] VirtualFree (lpAddress=0x620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.962] CloseHandle (hObject=0x2f8) returned 1 [0080.962] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\VUe3zwqA.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\vue3zwqa.bmp")) returned 1 Thread: id = 31 os_tid = 0x98c [0080.985] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0080.985] lstrcpyW (in: lpString1=0x259fa1c, lpString2="XX4thRNGxg6Fuju-.gif" | out: lpString1="XX4thRNGxg6Fuju-.gif") returned="XX4thRNGxg6Fuju-.gif" [0080.985] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0080.985] SetErrorMode (uMode=0x1) returned 0x1 [0080.985] lstrcpyW (in: lpString1=0x259e1ec, lpString2="XX4thRNGxg6Fuju-.gif" | out: lpString1="XX4thRNGxg6Fuju-.gif") returned="XX4thRNGxg6Fuju-.gif" [0080.985] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\XX4thRNGxg6Fuju-.gif") returned 50 [0080.985] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\XX4thRNGxg6Fuju-.gif", dwFileAttributes=0x20) returned 1 [0080.986] StrStrW (lpFirst="XX4thRNGxg6Fuju-.gif", lpSrch=".Clop") returned 0x0 [0080.986] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\XX4thRNGxg6Fuju-.gif.Clop") returned 55 [0080.986] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\XX4thRNGxg6Fuju-.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\xx4thrngxg6fuju-.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2fc [0080.986] ReadFile (in: hFile=0x2fc, lpBuffer=0x26dfe8, nNumberOfBytesToRead=0x12e40, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x26dfe8*, lpNumberOfBytesRead=0x259e1d8*=0x12e40, lpOverlapped=0x0) returned 1 [0080.987] CloseHandle (hObject=0x2fc) returned 1 [0080.987] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0080.987] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0080.987] SetErrorMode (uMode=0x1) returned 0x1 [0080.987] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x24b448) returned 1 [0080.989] CryptGenKey (in: hProv=0x24b448, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x2432f8) returned 1 [0081.019] CryptExportKey (in: hKey=0x2432f8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0081.019] CryptExportKey (in: hKey=0x2432f8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x620000, pdwDataLen=0x259e1d4 | out: pbData=0x620000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0081.019] CryptDestroyKey (hKey=0x2432f8) returned 1 [0081.019] CryptReleaseContext (hProv=0x24b448, dwFlags=0x0) returned 1 [0081.019] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\XX4thRNGxg6Fuju-.gif.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\xx4thrngxg6fuju-.gif.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2fc [0081.019] WriteFile (in: hFile=0x2fc, lpBuffer=0x26dfe8*, nNumberOfBytesToWrite=0x12e40, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x26dfe8*, lpNumberOfBytesWritten=0x259e1e8*=0x12e40, lpOverlapped=0x0) returned 1 [0081.021] SetFilePointer (in: hFile=0x2fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x12e40 [0081.021] WriteFile (in: hFile=0x2fc, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0081.021] SetFilePointer (in: hFile=0x2fc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x12e47 [0081.021] SetErrorMode (uMode=0x1) returned 0x1 [0081.021] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0081.021] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0081.021] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0081.021] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x24b3c0) returned 1 [0081.021] CryptImportPublicKeyInfoEx (in: hCryptProv=0x24b3c0, dwCertEncodingType=0x1, pInfo=0x248fe8, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x2432b8) returned 1 [0081.021] CryptEncrypt (in: hKey=0x2432b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0081.021] CryptEncrypt (in: hKey=0x2432b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x24b1a0*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x24b1a0*, pdwDataLen=0x259d19c*=0x80) returned 1 [0081.021] WriteFile (in: hFile=0x2fc, lpBuffer=0x24b1a0*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x24b1a0*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0081.021] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0081.022] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.022] VirtualFree (lpAddress=0x620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.022] CloseHandle (hObject=0x2fc) returned 1 [0081.024] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\XX4thRNGxg6Fuju-.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\xx4thrngxg6fuju-.gif")) returned 1 Thread: id = 32 os_tid = 0xc20 [0081.048] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0081.048] lstrcpyW (in: lpString1=0x259fa1c, lpString2="YPIwdbokYQ4R 4UIuz5l.swf" | out: lpString1="YPIwdbokYQ4R 4UIuz5l.swf") returned="YPIwdbokYQ4R 4UIuz5l.swf" [0081.048] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0081.048] SetErrorMode (uMode=0x1) returned 0x1 [0081.048] lstrcpyW (in: lpString1=0x259e1ec, lpString2="YPIwdbokYQ4R 4UIuz5l.swf" | out: lpString1="YPIwdbokYQ4R 4UIuz5l.swf") returned="YPIwdbokYQ4R 4UIuz5l.swf" [0081.049] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\YPIwdbokYQ4R 4UIuz5l.swf") returned 54 [0081.049] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\YPIwdbokYQ4R 4UIuz5l.swf", dwFileAttributes=0x20) returned 1 [0081.049] StrStrW (lpFirst="YPIwdbokYQ4R 4UIuz5l.swf", lpSrch=".Clop") returned 0x0 [0081.049] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\YPIwdbokYQ4R 4UIuz5l.swf.Clop") returned 59 [0081.049] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\YPIwdbokYQ4R 4UIuz5l.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\ypiwdbokyq4r 4uiuz5l.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x300 [0081.049] ReadFile (in: hFile=0x300, lpBuffer=0x26dfe8, nNumberOfBytesToRead=0x40e6, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x26dfe8*, lpNumberOfBytesRead=0x259e1d8*=0x40e6, lpOverlapped=0x0) returned 1 [0081.050] CloseHandle (hObject=0x300) returned 1 [0081.050] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0081.050] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0081.050] SetErrorMode (uMode=0x1) returned 0x1 [0081.050] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x24ade8) returned 1 [0081.052] CryptGenKey (in: hProv=0x24ade8, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x242ff8) returned 1 [0081.084] CryptExportKey (in: hKey=0x242ff8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0081.084] CryptExportKey (in: hKey=0x242ff8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x620000, pdwDataLen=0x259e1d4 | out: pbData=0x620000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0081.084] CryptDestroyKey (hKey=0x242ff8) returned 1 [0081.084] CryptReleaseContext (hProv=0x24ade8, dwFlags=0x0) returned 1 [0081.084] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\YPIwdbokYQ4R 4UIuz5l.swf.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\ypiwdbokyq4r 4uiuz5l.swf.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x300 [0081.084] WriteFile (in: hFile=0x300, lpBuffer=0x26dfe8*, nNumberOfBytesToWrite=0x40e6, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x26dfe8*, lpNumberOfBytesWritten=0x259e1e8*=0x40e6, lpOverlapped=0x0) returned 1 [0081.085] SetFilePointer (in: hFile=0x300, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x40e6 [0081.085] WriteFile (in: hFile=0x300, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0081.085] SetFilePointer (in: hFile=0x300, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x40ed [0081.086] SetErrorMode (uMode=0x1) returned 0x1 [0081.086] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0081.086] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0081.086] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0081.086] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x24bc40) returned 1 [0081.086] CryptImportPublicKeyInfoEx (in: hCryptProv=0x24bc40, dwCertEncodingType=0x1, pInfo=0x2487c8, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x2432f8) returned 1 [0081.086] CryptEncrypt (in: hKey=0x2432f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0081.086] CryptEncrypt (in: hKey=0x2432f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x24b448*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x24b448*, pdwDataLen=0x259d19c*=0x80) returned 1 [0081.086] WriteFile (in: hFile=0x300, lpBuffer=0x24b448*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x24b448*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0081.086] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0081.086] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.086] VirtualFree (lpAddress=0x620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.087] CloseHandle (hObject=0x300) returned 1 [0081.087] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\YPIwdbokYQ4R 4UIuz5l.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\ypiwdbokyq4r 4uiuz5l.swf")) returned 1 Thread: id = 33 os_tid = 0x618 [0081.104] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0081.104] lstrcpyW (in: lpString1=0x259fa1c, lpString2="3cM9klXep32Nuxcrw.m4a" | out: lpString1="3cM9klXep32Nuxcrw.m4a") returned="3cM9klXep32Nuxcrw.m4a" [0081.104] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\" [0081.104] SetErrorMode (uMode=0x1) returned 0x1 [0081.105] lstrcpyW (in: lpString1=0x259e1ec, lpString2="3cM9klXep32Nuxcrw.m4a" | out: lpString1="3cM9klXep32Nuxcrw.m4a") returned="3cM9klXep32Nuxcrw.m4a" [0081.105] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\3cM9klXep32Nuxcrw.m4a") returned 69 [0081.105] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\3cM9klXep32Nuxcrw.m4a", dwFileAttributes=0x20) returned 1 [0081.106] StrStrW (lpFirst="3cM9klXep32Nuxcrw.m4a", lpSrch=".Clop") returned 0x0 [0081.106] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\3cM9klXep32Nuxcrw.m4a.Clop") returned 74 [0081.106] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\3cM9klXep32Nuxcrw.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\3cm9klxep32nuxcrw.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x300 [0081.106] ReadFile (in: hFile=0x300, lpBuffer=0x293f68, nNumberOfBytesToRead=0x1099f, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x293f68*, lpNumberOfBytesRead=0x259e1d8*=0x1099f, lpOverlapped=0x0) returned 1 [0081.107] CloseHandle (hObject=0x300) returned 1 [0081.107] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0081.107] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0081.107] SetErrorMode (uMode=0x1) returned 0x1 [0081.107] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x24b558) returned 1 [0081.109] CryptGenKey (in: hProv=0x24b558, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x2434b8) returned 1 [0081.384] CryptExportKey (in: hKey=0x2434b8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0081.384] CryptExportKey (in: hKey=0x2434b8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x620000, pdwDataLen=0x259e1d4 | out: pbData=0x620000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0081.384] CryptDestroyKey (hKey=0x2434b8) returned 1 [0081.384] CryptReleaseContext (hProv=0x24b558, dwFlags=0x0) returned 1 [0081.384] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\3cM9klXep32Nuxcrw.m4a.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\3cm9klxep32nuxcrw.m4a.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x300 [0081.384] WriteFile (in: hFile=0x300, lpBuffer=0x293f68*, nNumberOfBytesToWrite=0x1099f, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x293f68*, lpNumberOfBytesWritten=0x259e1e8*=0x1099f, lpOverlapped=0x0) returned 1 [0081.386] SetFilePointer (in: hFile=0x300, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x1099f [0081.386] WriteFile (in: hFile=0x300, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0081.386] SetFilePointer (in: hFile=0x300, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x109a6 [0081.386] SetErrorMode (uMode=0x1) returned 0x1 [0081.386] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0081.386] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0081.386] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0081.386] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x24abc8) returned 1 [0081.387] CryptImportPublicKeyInfoEx (in: hCryptProv=0x24abc8, dwCertEncodingType=0x1, pInfo=0x2490b8, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x242cb8) returned 1 [0081.387] CryptEncrypt (in: hKey=0x242cb8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0081.387] CryptEncrypt (in: hKey=0x242cb8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x24b800*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x24b800*, pdwDataLen=0x259d19c*=0x80) returned 1 [0081.387] WriteFile (in: hFile=0x300, lpBuffer=0x24b800*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x24b800*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0081.387] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0081.388] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.388] VirtualFree (lpAddress=0x620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.388] CloseHandle (hObject=0x300) returned 1 [0081.390] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\3cM9klXep32Nuxcrw.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\3cm9klxep32nuxcrw.m4a")) returned 1 Thread: id = 34 os_tid = 0x75c [0081.398] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0081.398] lstrcpyW (in: lpString1=0x259fa1c, lpString2="e4VC-WbG.pptx" | out: lpString1="e4VC-WbG.pptx") returned="e4VC-WbG.pptx" [0081.398] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\" [0081.398] SetErrorMode (uMode=0x1) returned 0x1 [0081.398] lstrcpyW (in: lpString1=0x259e1ec, lpString2="e4VC-WbG.pptx" | out: lpString1="e4VC-WbG.pptx") returned="e4VC-WbG.pptx" [0081.398] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\e4VC-WbG.pptx") returned 61 [0081.398] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\e4VC-WbG.pptx", dwFileAttributes=0x20) returned 1 [0081.411] StrStrW (lpFirst="e4VC-WbG.pptx", lpSrch=".Clop") returned 0x0 [0081.411] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\e4VC-WbG.pptx.Clop") returned 66 [0081.411] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\e4VC-WbG.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\e4vc-wbg.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x30c [0081.412] ReadFile (in: hFile=0x30c, lpBuffer=0x2730e0, nNumberOfBytesToRead=0x56ba, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x2730e0*, lpNumberOfBytesRead=0x259e1d8*=0x56ba, lpOverlapped=0x0) returned 1 [0081.413] CloseHandle (hObject=0x30c) returned 1 [0081.413] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0081.413] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0081.413] SetErrorMode (uMode=0x1) returned 0x1 [0081.413] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x24b888) returned 1 [0081.416] CryptGenKey (in: hProv=0x24b888, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x243338) returned 1 [0081.482] CryptExportKey (in: hKey=0x243338, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0081.482] CryptExportKey (in: hKey=0x243338, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x620000, pdwDataLen=0x259e1d4 | out: pbData=0x620000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0081.482] CryptDestroyKey (hKey=0x243338) returned 1 [0081.482] CryptReleaseContext (hProv=0x24b888, dwFlags=0x0) returned 1 [0081.482] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\e4VC-WbG.pptx.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\e4vc-wbg.pptx.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x30c [0081.482] WriteFile (in: hFile=0x30c, lpBuffer=0x2730e0*, nNumberOfBytesToWrite=0x56ba, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x2730e0*, lpNumberOfBytesWritten=0x259e1e8*=0x56ba, lpOverlapped=0x0) returned 1 [0081.483] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x56ba [0081.483] WriteFile (in: hFile=0x30c, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0081.483] SetFilePointer (in: hFile=0x30c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x56c1 [0081.483] SetErrorMode (uMode=0x1) returned 0x1 [0081.484] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0081.484] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0081.484] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0081.484] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x24ae70) returned 1 [0081.484] CryptImportPublicKeyInfoEx (in: hCryptProv=0x24ae70, dwCertEncodingType=0x1, pInfo=0x249258, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x2430f8) returned 1 [0081.484] CryptEncrypt (in: hKey=0x2430f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0081.484] CryptEncrypt (in: hKey=0x2430f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x24b668*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x24b668*, pdwDataLen=0x259d19c*=0x80) returned 1 [0081.484] WriteFile (in: hFile=0x30c, lpBuffer=0x24b668*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x24b668*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0081.484] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0081.484] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.484] VirtualFree (lpAddress=0x620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.485] CloseHandle (hObject=0x30c) returned 1 [0081.485] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\e4VC-WbG.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\e4vc-wbg.pptx")) returned 1 Thread: id = 35 os_tid = 0x7fc [0081.501] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0081.501] lstrcpyW (in: lpString1=0x259fa1c, lpString2="mLjbzi.wav" | out: lpString1="mLjbzi.wav") returned="mLjbzi.wav" [0081.501] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\" [0081.501] SetErrorMode (uMode=0x1) returned 0x1 [0081.501] lstrcpyW (in: lpString1=0x259e1ec, lpString2="mLjbzi.wav" | out: lpString1="mLjbzi.wav") returned="mLjbzi.wav" [0081.501] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\mLjbzi.wav") returned 58 [0081.501] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\mLjbzi.wav", dwFileAttributes=0x20) returned 1 [0081.502] StrStrW (lpFirst="mLjbzi.wav", lpSrch=".Clop") returned 0x0 [0081.502] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\mLjbzi.wav.Clop") returned 63 [0081.502] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\mLjbzi.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\mljbzi.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x310 [0081.502] ReadFile (in: hFile=0x310, lpBuffer=0x2730e0, nNumberOfBytesToRead=0xa9c8, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x2730e0*, lpNumberOfBytesRead=0x259e1d8*=0xa9c8, lpOverlapped=0x0) returned 1 [0081.503] CloseHandle (hObject=0x310) returned 1 [0081.503] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0081.503] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0081.503] SetErrorMode (uMode=0x1) returned 0x1 [0081.504] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x24aef8) returned 1 [0081.505] CryptGenKey (in: hProv=0x24aef8, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x242ff8) returned 1 [0081.531] CryptExportKey (in: hKey=0x242ff8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0081.531] CryptExportKey (in: hKey=0x242ff8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x620000, pdwDataLen=0x259e1d4 | out: pbData=0x620000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0081.531] CryptDestroyKey (hKey=0x242ff8) returned 1 [0081.531] CryptReleaseContext (hProv=0x24aef8, dwFlags=0x0) returned 1 [0081.531] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\mLjbzi.wav.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\mljbzi.wav.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x310 [0081.531] WriteFile (in: hFile=0x310, lpBuffer=0x2730e0*, nNumberOfBytesToWrite=0xa9c8, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x2730e0*, lpNumberOfBytesWritten=0x259e1e8*=0xa9c8, lpOverlapped=0x0) returned 1 [0081.532] SetFilePointer (in: hFile=0x310, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xa9c8 [0081.532] WriteFile (in: hFile=0x310, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0081.532] SetFilePointer (in: hFile=0x310, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xa9cf [0081.532] SetErrorMode (uMode=0x1) returned 0x1 [0081.532] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0081.532] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0081.532] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0081.533] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x24acd8) returned 1 [0081.533] CryptImportPublicKeyInfoEx (in: hCryptProv=0x24acd8, dwCertEncodingType=0x1, pInfo=0x2493f8, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x242c78) returned 1 [0081.533] CryptEncrypt (in: hKey=0x242c78, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0081.533] CryptEncrypt (in: hKey=0x242c78, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x24b4d0*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x24b4d0*, pdwDataLen=0x259d19c*=0x80) returned 1 [0081.533] WriteFile (in: hFile=0x310, lpBuffer=0x24b4d0*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x24b4d0*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0081.533] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0081.533] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.534] VirtualFree (lpAddress=0x620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.534] CloseHandle (hObject=0x310) returned 1 [0081.535] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\mLjbzi.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\mljbzi.wav")) returned 1 Thread: id = 36 os_tid = 0xaf4 [0081.546] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0081.546] lstrcpyW (in: lpString1=0x259fa1c, lpString2="q3vEzMh.jpg" | out: lpString1="q3vEzMh.jpg") returned="q3vEzMh.jpg" [0081.546] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\" [0081.546] SetErrorMode (uMode=0x1) returned 0x1 [0081.546] lstrcpyW (in: lpString1=0x259e1ec, lpString2="q3vEzMh.jpg" | out: lpString1="q3vEzMh.jpg") returned="q3vEzMh.jpg" [0081.546] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\q3vEzMh.jpg") returned 59 [0081.546] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\q3vEzMh.jpg", dwFileAttributes=0x20) returned 1 [0081.547] StrStrW (lpFirst="q3vEzMh.jpg", lpSrch=".Clop") returned 0x0 [0081.547] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\q3vEzMh.jpg.Clop") returned 64 [0081.547] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\q3vEzMh.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\q3vezmh.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.548] ReadFile (in: hFile=0x314, lpBuffer=0x2730e0, nNumberOfBytesToRead=0xacf9, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x2730e0*, lpNumberOfBytesRead=0x259e1d8*=0xacf9, lpOverlapped=0x0) returned 1 [0081.548] CloseHandle (hObject=0x314) returned 1 [0081.548] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0081.549] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0081.549] SetErrorMode (uMode=0x1) returned 0x1 [0081.549] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x24b558) returned 1 [0081.551] CryptGenKey (in: hProv=0x24b558, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x242ff8) returned 1 [0081.575] CryptExportKey (in: hKey=0x242ff8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0081.575] CryptExportKey (in: hKey=0x242ff8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x620000, pdwDataLen=0x259e1d4 | out: pbData=0x620000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0081.575] CryptDestroyKey (hKey=0x242ff8) returned 1 [0081.575] CryptReleaseContext (hProv=0x24b558, dwFlags=0x0) returned 1 [0081.575] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\q3vEzMh.jpg.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\q3vezmh.jpg.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x314 [0081.576] WriteFile (in: hFile=0x314, lpBuffer=0x2730e0*, nNumberOfBytesToWrite=0xacf9, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x2730e0*, lpNumberOfBytesWritten=0x259e1e8*=0xacf9, lpOverlapped=0x0) returned 1 [0081.577] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xacf9 [0081.577] WriteFile (in: hFile=0x314, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0081.577] SetFilePointer (in: hFile=0x314, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xad00 [0081.577] SetErrorMode (uMode=0x1) returned 0x1 [0081.577] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0081.577] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0081.577] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0081.577] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x24b888) returned 1 [0081.577] CryptImportPublicKeyInfoEx (in: hCryptProv=0x24b888, dwCertEncodingType=0x1, pInfo=0x249ce8, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x243178) returned 1 [0081.577] CryptEncrypt (in: hKey=0x243178, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0081.578] CryptEncrypt (in: hKey=0x243178, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x24b228*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x24b228*, pdwDataLen=0x259d19c*=0x80) returned 1 [0081.578] WriteFile (in: hFile=0x314, lpBuffer=0x24b228*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x24b228*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0081.578] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0081.578] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.578] VirtualFree (lpAddress=0x620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.578] CloseHandle (hObject=0x314) returned 1 [0081.579] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\q3vEzMh.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\q3vezmh.jpg")) returned 1 Thread: id = 37 os_tid = 0xf0 [0081.583] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0081.583] lstrcpyW (in: lpString1=0x259fa1c, lpString2="tgt23cY kRsq.mkv" | out: lpString1="tgt23cY kRsq.mkv") returned="tgt23cY kRsq.mkv" [0081.583] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\" [0081.583] SetErrorMode (uMode=0x1) returned 0x1 [0081.584] lstrcpyW (in: lpString1=0x259e1ec, lpString2="tgt23cY kRsq.mkv" | out: lpString1="tgt23cY kRsq.mkv") returned="tgt23cY kRsq.mkv" [0081.584] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\tgt23cY kRsq.mkv") returned 64 [0081.584] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\tgt23cY kRsq.mkv", dwFileAttributes=0x20) returned 1 [0081.584] StrStrW (lpFirst="tgt23cY kRsq.mkv", lpSrch=".Clop") returned 0x0 [0081.584] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\tgt23cY kRsq.mkv.Clop") returned 69 [0081.584] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\tgt23cY kRsq.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\tgt23cy krsq.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x318 [0081.585] ReadFile (in: hFile=0x318, lpBuffer=0x2730e0, nNumberOfBytesToRead=0xcab5, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x2730e0*, lpNumberOfBytesRead=0x259e1d8*=0xcab5, lpOverlapped=0x0) returned 1 [0081.586] CloseHandle (hObject=0x318) returned 1 [0081.586] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0081.586] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0081.586] SetErrorMode (uMode=0x1) returned 0x1 [0081.586] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x24ade8) returned 1 [0081.588] CryptGenKey (in: hProv=0x24ade8, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x242ff8) returned 1 [0081.629] CryptExportKey (in: hKey=0x242ff8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0081.629] CryptExportKey (in: hKey=0x242ff8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x620000, pdwDataLen=0x259e1d4 | out: pbData=0x620000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0081.629] CryptDestroyKey (hKey=0x242ff8) returned 1 [0081.629] CryptReleaseContext (hProv=0x24ade8, dwFlags=0x0) returned 1 [0081.630] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\tgt23cY kRsq.mkv.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\tgt23cy krsq.mkv.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x318 [0081.630] WriteFile (in: hFile=0x318, lpBuffer=0x2730e0*, nNumberOfBytesToWrite=0xcab5, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x2730e0*, lpNumberOfBytesWritten=0x259e1e8*=0xcab5, lpOverlapped=0x0) returned 1 [0081.631] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xcab5 [0081.631] WriteFile (in: hFile=0x318, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0081.631] SetFilePointer (in: hFile=0x318, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xcabc [0081.631] SetErrorMode (uMode=0x1) returned 0x1 [0081.631] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0081.631] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0081.631] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0081.631] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x24b558) returned 1 [0081.632] CryptImportPublicKeyInfoEx (in: hCryptProv=0x24b558, dwCertEncodingType=0x1, pInfo=0x249808, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x242ff8) returned 1 [0081.632] CryptEncrypt (in: hKey=0x242ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0081.632] CryptEncrypt (in: hKey=0x242ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x24aef8*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x24aef8*, pdwDataLen=0x259d19c*=0x80) returned 1 [0081.632] WriteFile (in: hFile=0x318, lpBuffer=0x24aef8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x24aef8*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0081.632] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0081.633] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.633] VirtualFree (lpAddress=0x620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.633] CloseHandle (hObject=0x318) returned 1 [0081.634] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\tgt23cY kRsq.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\tgt23cy krsq.mkv")) returned 1 Thread: id = 38 os_tid = 0x200 [0081.639] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0081.639] lstrcpyW (in: lpString1=0x259fa1c, lpString2="vHN4y WQ89shIcD.mp3" | out: lpString1="vHN4y WQ89shIcD.mp3") returned="vHN4y WQ89shIcD.mp3" [0081.639] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\" [0081.639] SetErrorMode (uMode=0x1) returned 0x1 [0081.639] lstrcpyW (in: lpString1=0x259e1ec, lpString2="vHN4y WQ89shIcD.mp3" | out: lpString1="vHN4y WQ89shIcD.mp3") returned="vHN4y WQ89shIcD.mp3" [0081.639] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\vHN4y WQ89shIcD.mp3") returned 67 [0081.639] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\vHN4y WQ89shIcD.mp3", dwFileAttributes=0x20) returned 1 [0081.640] StrStrW (lpFirst="vHN4y WQ89shIcD.mp3", lpSrch=".Clop") returned 0x0 [0081.640] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\vHN4y WQ89shIcD.mp3.Clop") returned 72 [0081.640] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\vHN4y WQ89shIcD.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\vhn4y wq89shicd.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x31c [0081.641] ReadFile (in: hFile=0x31c, lpBuffer=0x293f68, nNumberOfBytesToRead=0x1539c, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x293f68*, lpNumberOfBytesRead=0x259e1d8*=0x1539c, lpOverlapped=0x0) returned 1 [0081.641] CloseHandle (hObject=0x31c) returned 1 [0081.641] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0081.642] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0081.642] SetErrorMode (uMode=0x1) returned 0x1 [0081.642] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x24b6f0) returned 1 [0081.644] CryptGenKey (in: hProv=0x24b6f0, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x242d38) returned 1 [0081.675] CryptExportKey (in: hKey=0x242d38, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0081.675] CryptExportKey (in: hKey=0x242d38, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x620000, pdwDataLen=0x259e1d4 | out: pbData=0x620000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0081.675] CryptDestroyKey (hKey=0x242d38) returned 1 [0081.675] CryptReleaseContext (hProv=0x24b6f0, dwFlags=0x0) returned 1 [0081.675] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\vHN4y WQ89shIcD.mp3.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\vhn4y wq89shicd.mp3.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x31c [0081.676] WriteFile (in: hFile=0x31c, lpBuffer=0x293f68*, nNumberOfBytesToWrite=0x1539c, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x293f68*, lpNumberOfBytesWritten=0x259e1e8*=0x1539c, lpOverlapped=0x0) returned 1 [0081.677] SetFilePointer (in: hFile=0x31c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x1539c [0081.677] WriteFile (in: hFile=0x31c, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0081.677] SetFilePointer (in: hFile=0x31c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x153a3 [0081.678] SetErrorMode (uMode=0x1) returned 0x1 [0081.678] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0081.678] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0081.678] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0081.678] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x24ade8) returned 1 [0081.678] CryptImportPublicKeyInfoEx (in: hCryptProv=0x24ade8, dwCertEncodingType=0x1, pInfo=0x248a38, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x242eb8) returned 1 [0081.678] CryptEncrypt (in: hKey=0x242eb8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0081.678] CryptEncrypt (in: hKey=0x242eb8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x24b6f0*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x24b6f0*, pdwDataLen=0x259d19c*=0x80) returned 1 [0081.678] WriteFile (in: hFile=0x31c, lpBuffer=0x24b6f0*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x24b6f0*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0081.678] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0081.679] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.679] VirtualFree (lpAddress=0x620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.679] CloseHandle (hObject=0x31c) returned 1 [0081.681] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\vHN4y WQ89shIcD.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\vhn4y wq89shicd.mp3")) returned 1 Thread: id = 39 os_tid = 0x278 [0081.690] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0081.690] lstrcpyW (in: lpString1=0x259fa1c, lpString2="3rZJbwvUH5.mp3" | out: lpString1="3rZJbwvUH5.mp3") returned="3rZJbwvUH5.mp3" [0081.690] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\" [0081.690] SetErrorMode (uMode=0x1) returned 0x1 [0081.690] lstrcpyW (in: lpString1=0x259e1ec, lpString2="3rZJbwvUH5.mp3" | out: lpString1="3rZJbwvUH5.mp3") returned="3rZJbwvUH5.mp3" [0081.690] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\3rZJbwvUH5.mp3") returned 81 [0081.690] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\3rZJbwvUH5.mp3", dwFileAttributes=0x20) returned 1 [0081.690] StrStrW (lpFirst="3rZJbwvUH5.mp3", lpSrch=".Clop") returned 0x0 [0081.690] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\3rZJbwvUH5.mp3.Clop") returned 86 [0081.690] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\3rZJbwvUH5.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\emfsg8fvo9kfhe4jvd\\3rzjbwvuh5.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x31c [0081.691] ReadFile (in: hFile=0x31c, lpBuffer=0x26dfe8, nNumberOfBytesToRead=0xb65a, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x26dfe8*, lpNumberOfBytesRead=0x259e1d8*=0xb65a, lpOverlapped=0x0) returned 1 [0081.691] CloseHandle (hObject=0x31c) returned 1 [0081.691] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0081.691] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0081.692] SetErrorMode (uMode=0x1) returned 0x1 [0081.692] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x24b910) returned 1 [0081.694] CryptGenKey (in: hProv=0x24b910, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x243338) returned 1 [0081.715] CryptExportKey (in: hKey=0x243338, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0081.715] CryptExportKey (in: hKey=0x243338, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x620000, pdwDataLen=0x259e1d4 | out: pbData=0x620000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0081.715] CryptDestroyKey (hKey=0x243338) returned 1 [0081.715] CryptReleaseContext (hProv=0x24b910, dwFlags=0x0) returned 1 [0081.715] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\3rZJbwvUH5.mp3.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\emfsg8fvo9kfhe4jvd\\3rzjbwvuh5.mp3.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x31c [0081.716] WriteFile (in: hFile=0x31c, lpBuffer=0x26dfe8*, nNumberOfBytesToWrite=0xb65a, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x26dfe8*, lpNumberOfBytesWritten=0x259e1e8*=0xb65a, lpOverlapped=0x0) returned 1 [0081.717] SetFilePointer (in: hFile=0x31c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xb65a [0081.717] WriteFile (in: hFile=0x31c, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0081.717] SetFilePointer (in: hFile=0x31c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xb661 [0081.717] SetErrorMode (uMode=0x1) returned 0x1 [0081.717] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0081.717] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0081.717] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0081.717] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x24b910) returned 1 [0081.717] CryptImportPublicKeyInfoEx (in: hCryptProv=0x24b910, dwCertEncodingType=0x1, pInfo=0x2498d8, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x243038) returned 1 [0081.717] CryptEncrypt (in: hKey=0x243038, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0081.718] CryptEncrypt (in: hKey=0x243038, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x24ba20*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x24ba20*, pdwDataLen=0x259d19c*=0x80) returned 1 [0081.718] WriteFile (in: hFile=0x31c, lpBuffer=0x24ba20*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x24ba20*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0081.718] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0081.718] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.718] VirtualFree (lpAddress=0x620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.718] CloseHandle (hObject=0x31c) returned 1 [0081.720] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\3rZJbwvUH5.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\emfsg8fvo9kfhe4jvd\\3rzjbwvuh5.mp3")) returned 1 Thread: id = 40 os_tid = 0x128 [0081.737] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0081.737] lstrcpyW (in: lpString1=0x259fa1c, lpString2="8E6wl_qLQCNpnO.png" | out: lpString1="8E6wl_qLQCNpnO.png") returned="8E6wl_qLQCNpnO.png" [0081.737] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\" [0081.737] SetErrorMode (uMode=0x1) returned 0x1 [0081.737] lstrcpyW (in: lpString1=0x259e1ec, lpString2="8E6wl_qLQCNpnO.png" | out: lpString1="8E6wl_qLQCNpnO.png") returned="8E6wl_qLQCNpnO.png" [0081.737] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\8E6wl_qLQCNpnO.png") returned 85 [0081.737] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\8E6wl_qLQCNpnO.png", dwFileAttributes=0x20) returned 1 [0081.738] StrStrW (lpFirst="8E6wl_qLQCNpnO.png", lpSrch=".Clop") returned 0x0 [0081.738] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\8E6wl_qLQCNpnO.png.Clop") returned 90 [0081.738] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\8E6wl_qLQCNpnO.png" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\emfsg8fvo9kfhe4jvd\\8e6wl_qlqcnpno.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x328 [0081.739] ReadFile (in: hFile=0x328, lpBuffer=0x24cba0, nNumberOfBytesToRead=0x12a7, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x24cba0*, lpNumberOfBytesRead=0x259e1d8*=0x12a7, lpOverlapped=0x0) returned 1 [0081.739] CloseHandle (hObject=0x328) returned 1 [0081.739] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0081.739] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0081.739] SetErrorMode (uMode=0x1) returned 0x1 [0081.740] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x24baa8) returned 1 [0081.742] CryptGenKey (in: hProv=0x24baa8, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x242e38) returned 1 [0081.775] CryptExportKey (in: hKey=0x242e38, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0081.775] CryptExportKey (in: hKey=0x242e38, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x620000, pdwDataLen=0x259e1d4 | out: pbData=0x620000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0081.775] CryptDestroyKey (hKey=0x242e38) returned 1 [0081.775] CryptReleaseContext (hProv=0x24baa8, dwFlags=0x0) returned 1 [0081.775] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\8E6wl_qLQCNpnO.png.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\emfsg8fvo9kfhe4jvd\\8e6wl_qlqcnpno.png.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x328 [0081.776] WriteFile (in: hFile=0x328, lpBuffer=0x24cba0*, nNumberOfBytesToWrite=0x12a7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x24cba0*, lpNumberOfBytesWritten=0x259e1e8*=0x12a7, lpOverlapped=0x0) returned 1 [0081.776] SetFilePointer (in: hFile=0x328, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x12a7 [0081.777] WriteFile (in: hFile=0x328, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0081.777] SetFilePointer (in: hFile=0x328, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x12ae [0081.778] SetErrorMode (uMode=0x1) returned 0x1 [0081.778] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0081.778] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0081.778] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0081.778] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x24baa8) returned 1 [0081.778] CryptImportPublicKeyInfoEx (in: hCryptProv=0x24baa8, dwCertEncodingType=0x1, pInfo=0x248ca8, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x242d38) returned 1 [0081.778] CryptEncrypt (in: hKey=0x242d38, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0081.778] CryptEncrypt (in: hKey=0x242d38, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x24c080*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x24c080*, pdwDataLen=0x259d19c*=0x80) returned 1 [0081.778] WriteFile (in: hFile=0x328, lpBuffer=0x24c080*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x24c080*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0081.778] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0081.778] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.778] VirtualFree (lpAddress=0x620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.779] CloseHandle (hObject=0x328) returned 1 [0081.779] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\8E6wl_qLQCNpnO.png" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\emfsg8fvo9kfhe4jvd\\8e6wl_qlqcnpno.png")) returned 1 Thread: id = 41 os_tid = 0xa60 [0081.795] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0081.795] lstrcpyW (in: lpString1=0x259fa1c, lpString2="d2eT4JK8.mp4" | out: lpString1="d2eT4JK8.mp4") returned="d2eT4JK8.mp4" [0081.795] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\" [0081.795] SetErrorMode (uMode=0x1) returned 0x1 [0081.795] lstrcpyW (in: lpString1=0x259e1ec, lpString2="d2eT4JK8.mp4" | out: lpString1="d2eT4JK8.mp4") returned="d2eT4JK8.mp4" [0081.795] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\d2eT4JK8.mp4") returned 79 [0081.796] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\d2eT4JK8.mp4", dwFileAttributes=0x20) returned 1 [0081.797] StrStrW (lpFirst="d2eT4JK8.mp4", lpSrch=".Clop") returned 0x0 [0081.797] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\d2eT4JK8.mp4.Clop") returned 84 [0081.797] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\d2eT4JK8.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\emfsg8fvo9kfhe4jvd\\d2et4jk8.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x32c [0081.797] ReadFile (in: hFile=0x32c, lpBuffer=0x26eff0, nNumberOfBytesToRead=0xfbe7, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x26eff0*, lpNumberOfBytesRead=0x259e1d8*=0xfbe7, lpOverlapped=0x0) returned 1 [0081.798] CloseHandle (hObject=0x32c) returned 1 [0081.798] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0081.798] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0081.798] SetErrorMode (uMode=0x1) returned 0x1 [0081.798] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x24c988) returned 1 [0081.800] CryptGenKey (in: hProv=0x24c988, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x242f78) returned 1 [0081.870] CryptExportKey (in: hKey=0x242f78, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0081.870] CryptExportKey (in: hKey=0x242f78, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x620000, pdwDataLen=0x259e1d4 | out: pbData=0x620000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0081.870] CryptDestroyKey (hKey=0x242f78) returned 1 [0081.870] CryptReleaseContext (hProv=0x24c988, dwFlags=0x0) returned 1 [0081.870] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\d2eT4JK8.mp4.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\emfsg8fvo9kfhe4jvd\\d2et4jk8.mp4.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x32c [0081.871] WriteFile (in: hFile=0x32c, lpBuffer=0x26eff0*, nNumberOfBytesToWrite=0xfbe7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x26eff0*, lpNumberOfBytesWritten=0x259e1e8*=0xfbe7, lpOverlapped=0x0) returned 1 [0081.872] SetFilePointer (in: hFile=0x32c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xfbe7 [0081.872] WriteFile (in: hFile=0x32c, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0081.873] SetFilePointer (in: hFile=0x32c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xfbee [0081.873] SetErrorMode (uMode=0x1) returned 0x1 [0081.873] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0081.873] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0081.873] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0081.873] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x24c438) returned 1 [0081.873] CryptImportPublicKeyInfoEx (in: hCryptProv=0x24c438, dwCertEncodingType=0x1, pInfo=0x2499a8, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x242d78) returned 1 [0081.873] CryptEncrypt (in: hKey=0x242d78, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0081.873] CryptEncrypt (in: hKey=0x242d78, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x24c3b0*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x24c3b0*, pdwDataLen=0x259d19c*=0x80) returned 1 [0081.874] WriteFile (in: hFile=0x32c, lpBuffer=0x24c3b0*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x24c3b0*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0081.874] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0081.874] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.875] VirtualFree (lpAddress=0x620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.875] CloseHandle (hObject=0x32c) returned 1 [0081.877] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\d2eT4JK8.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\emfsg8fvo9kfhe4jvd\\d2et4jk8.mp4")) returned 1 Thread: id = 42 os_tid = 0x4b8 [0081.894] lstrcpyA (in: lpString1=0x259fe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0081.894] lstrcpyW (in: lpString1=0x259fa1c, lpString2="ObwlO7BZUXGUQwB0pQ.m4a" | out: lpString1="ObwlO7BZUXGUQwB0pQ.m4a") returned="ObwlO7BZUXGUQwB0pQ.m4a" [0081.894] lstrcpyW (in: lpString1=0x259ea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\" [0081.894] SetErrorMode (uMode=0x1) returned 0x1 [0081.894] lstrcpyW (in: lpString1=0x259e1ec, lpString2="ObwlO7BZUXGUQwB0pQ.m4a" | out: lpString1="ObwlO7BZUXGUQwB0pQ.m4a") returned="ObwlO7BZUXGUQwB0pQ.m4a" [0081.894] wsprintfW (in: param_1=0x259ee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\ObwlO7BZUXGUQwB0pQ.m4a") returned 89 [0081.894] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\ObwlO7BZUXGUQwB0pQ.m4a", dwFileAttributes=0x20) returned 1 [0081.895] StrStrW (lpFirst="ObwlO7BZUXGUQwB0pQ.m4a", lpSrch=".Clop") returned 0x0 [0081.895] wsprintfW (in: param_1=0x259f60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\ObwlO7BZUXGUQwB0pQ.m4a.Clop") returned 94 [0081.895] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\ObwlO7BZUXGUQwB0pQ.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\emfsg8fvo9kfhe4jvd\\obwlo7bzuxguqwb0pq.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x330 [0081.896] ReadFile (in: hFile=0x330, lpBuffer=0x26eff0, nNumberOfBytesToRead=0xebb5, lpNumberOfBytesRead=0x259e1d8, lpOverlapped=0x0 | out: lpBuffer=0x26eff0*, lpNumberOfBytesRead=0x259e1d8*=0xebb5, lpOverlapped=0x0) returned 1 [0081.896] CloseHandle (hObject=0x330) returned 1 [0081.897] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x600000 [0081.897] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x620000 [0081.897] SetErrorMode (uMode=0x1) returned 0x1 [0081.897] CryptAcquireContextW (in: phProv=0x259e1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x259e1b0*=0x24c4c0) returned 1 [0081.900] CryptGenKey (in: hProv=0x24c4c0, Algid=0x1, dwFlags=0x4000, phKey=0x259e1b4 | out: phKey=0x259e1b4*=0x243078) returned 1 [0081.947] CryptExportKey (in: hKey=0x243078, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x259e1d4 | out: pbData=0x0*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0081.947] CryptExportKey (in: hKey=0x243078, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x620000, pdwDataLen=0x259e1d4 | out: pbData=0x620000*, pdwDataLen=0x259e1d4*=0x94) returned 1 [0081.947] CryptDestroyKey (hKey=0x243078) returned 1 [0081.947] CryptReleaseContext (hProv=0x24c4c0, dwFlags=0x0) returned 1 [0081.947] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\ObwlO7BZUXGUQwB0pQ.m4a.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\emfsg8fvo9kfhe4jvd\\obwlo7bzuxguqwb0pq.m4a.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0081.948] WriteFile (in: hFile=0x1c8, lpBuffer=0x26eff0*, nNumberOfBytesToWrite=0xebb5, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x26eff0*, lpNumberOfBytesWritten=0x259e1e8*=0xebb5, lpOverlapped=0x0) returned 1 [0081.951] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xebb5 [0081.951] WriteFile (in: hFile=0x1c8, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x259e1e8*=0x7, lpOverlapped=0x0) returned 1 [0081.951] SetFilePointer (in: hFile=0x1c8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xebbc [0081.951] SetErrorMode (uMode=0x1) returned 0x1 [0081.952] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0081.952] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x259d1b0, pcbBinary=0x259d1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0081.952] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x259d1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x259d198, pcbStructInfo=0x259d190 | out: pvStructInfo=0x259d198, pcbStructInfo=0x259d190) returned 1 [0081.952] CryptAcquireContextW (in: phProv=0x259d1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x259d1a0*=0x24c218) returned 1 [0081.952] CryptImportPublicKeyInfoEx (in: hCryptProv=0x24c218, dwCertEncodingType=0x1, pInfo=0x2486f8, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x259d1a8 | out: phKey=0x259d1a8*=0x242f78) returned 1 [0081.952] CryptEncrypt (in: hKey=0x242f78, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x259d1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x259d1ac*=0x80) returned 1 [0081.952] CryptEncrypt (in: hKey=0x242f78, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x24c4c0*, pdwDataLen=0x259d19c*=0x75, dwBufLen=0x80 | out: pbData=0x24c4c0*, pdwDataLen=0x259d19c*=0x80) returned 1 [0081.952] WriteFile (in: hFile=0x1c8, lpBuffer=0x24c4c0*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x259e1e8, lpOverlapped=0x0 | out: lpBuffer=0x24c4c0*, lpNumberOfBytesWritten=0x259e1e8*=0x80, lpOverlapped=0x0) returned 1 [0081.952] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0081.953] VirtualFree (lpAddress=0x600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.953] VirtualFree (lpAddress=0x620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.953] CloseHandle (hObject=0x1c8) returned 1 [0081.955] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\ObwlO7BZUXGUQwB0pQ.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\emfsg8fvo9kfhe4jvd\\obwlo7bzuxguqwb0pq.m4a")) returned 1 Thread: id = 43 os_tid = 0x554 [0081.963] lstrcpyA (in: lpString1=0x23bfe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0081.963] lstrcpyW (in: lpString1=0x23bfa1c, lpString2="UCjyyB8w66Rfl6SR.bmp" | out: lpString1="UCjyyB8w66Rfl6SR.bmp") returned="UCjyyB8w66Rfl6SR.bmp" [0081.964] lstrcpyW (in: lpString1=0x23bea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\" [0081.964] SetErrorMode (uMode=0x1) returned 0x1 [0081.964] lstrcpyW (in: lpString1=0x23be1ec, lpString2="UCjyyB8w66Rfl6SR.bmp" | out: lpString1="UCjyyB8w66Rfl6SR.bmp") returned="UCjyyB8w66Rfl6SR.bmp" [0081.964] wsprintfW (in: param_1=0x23bee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\UCjyyB8w66Rfl6SR.bmp") returned 87 [0081.964] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\UCjyyB8w66Rfl6SR.bmp", dwFileAttributes=0x20) returned 1 [0081.964] StrStrW (lpFirst="UCjyyB8w66Rfl6SR.bmp", lpSrch=".Clop") returned 0x0 [0081.964] wsprintfW (in: param_1=0x23bf60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\UCjyyB8w66Rfl6SR.bmp.Clop") returned 92 [0081.964] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\UCjyyB8w66Rfl6SR.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\emfsg8fvo9kfhe4jvd\\ucjyyb8w66rfl6sr.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x334 [0081.965] ReadFile (in: hFile=0x334, lpBuffer=0x293f68, nNumberOfBytesToRead=0x137c3, lpNumberOfBytesRead=0x23be1d8, lpOverlapped=0x0 | out: lpBuffer=0x293f68*, lpNumberOfBytesRead=0x23be1d8*=0x137c3, lpOverlapped=0x0) returned 1 [0081.966] CloseHandle (hObject=0x334) returned 1 [0081.966] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x3c0000 [0081.966] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x3d0000 [0081.966] SetErrorMode (uMode=0x1) returned 0x1 [0081.966] CryptAcquireContextW (in: phProv=0x23be1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x23be1b0*=0x24c108) returned 1 [0081.969] CryptGenKey (in: hProv=0x24c108, Algid=0x1, dwFlags=0x4000, phKey=0x23be1b4 | out: phKey=0x23be1b4*=0x242e38) returned 1 [0082.044] CryptExportKey (in: hKey=0x242e38, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x23be1d4 | out: pbData=0x0*, pdwDataLen=0x23be1d4*=0x94) returned 1 [0082.044] CryptExportKey (in: hKey=0x242e38, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x3d0000, pdwDataLen=0x23be1d4 | out: pbData=0x3d0000*, pdwDataLen=0x23be1d4*=0x94) returned 1 [0082.044] CryptDestroyKey (hKey=0x242e38) returned 1 [0082.044] CryptReleaseContext (hProv=0x24c108, dwFlags=0x0) returned 1 [0082.048] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\UCjyyB8w66Rfl6SR.bmp.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\emfsg8fvo9kfhe4jvd\\ucjyyb8w66rfl6sr.bmp.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x334 [0082.048] WriteFile (in: hFile=0x334, lpBuffer=0x293f68*, nNumberOfBytesToWrite=0x137c3, lpNumberOfBytesWritten=0x23be1e8, lpOverlapped=0x0 | out: lpBuffer=0x293f68*, lpNumberOfBytesWritten=0x23be1e8*=0x137c3, lpOverlapped=0x0) returned 1 [0082.049] SetFilePointer (in: hFile=0x334, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x137c3 [0082.049] WriteFile (in: hFile=0x334, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x23be1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x23be1e8*=0x7, lpOverlapped=0x0) returned 1 [0082.050] SetFilePointer (in: hFile=0x334, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x137ca [0082.050] SetErrorMode (uMode=0x1) returned 0x1 [0082.050] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0082.050] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x23bd1b0, pcbBinary=0x23bd1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x23bd1b0, pcbBinary=0x23bd1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0082.050] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x23bd1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x23bd198, pcbStructInfo=0x23bd190 | out: pvStructInfo=0x23bd198, pcbStructInfo=0x23bd190) returned 1 [0082.050] CryptAcquireContextW (in: phProv=0x23bd1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x23bd1a0*=0x24c548) returned 1 [0082.050] CryptImportPublicKeyInfoEx (in: hCryptProv=0x24c548, dwCertEncodingType=0x1, pInfo=0x248898, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x23bd1a8 | out: phKey=0x23bd1a8*=0x242e38) returned 1 [0082.050] CryptEncrypt (in: hKey=0x242e38, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x23bd1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x23bd1ac*=0x80) returned 1 [0082.050] CryptEncrypt (in: hKey=0x242e38, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x24c878*, pdwDataLen=0x23bd19c*=0x75, dwBufLen=0x80 | out: pbData=0x24c878*, pdwDataLen=0x23bd19c*=0x80) returned 1 [0082.050] WriteFile (in: hFile=0x334, lpBuffer=0x24c878*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x23be1e8, lpOverlapped=0x0 | out: lpBuffer=0x24c878*, lpNumberOfBytesWritten=0x23be1e8*=0x80, lpOverlapped=0x0) returned 1 [0082.050] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0082.051] VirtualFree (lpAddress=0x3c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.051] VirtualFree (lpAddress=0x3d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.052] CloseHandle (hObject=0x334) returned 1 [0082.053] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\UCjyyB8w66Rfl6SR.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\emfsg8fvo9kfhe4jvd\\ucjyyb8w66rfl6sr.bmp")) returned 1 Thread: id = 44 os_tid = 0x888 [0082.057] lstrcpyA (in: lpString1=0x23bfe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0082.057] lstrcpyW (in: lpString1=0x23bfa1c, lpString2="VzugFdG5q8.avi" | out: lpString1="VzugFdG5q8.avi") returned="VzugFdG5q8.avi" [0082.057] lstrcpyW (in: lpString1=0x23bea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\" [0082.057] SetErrorMode (uMode=0x1) returned 0x1 [0082.057] lstrcpyW (in: lpString1=0x23be1ec, lpString2="VzugFdG5q8.avi" | out: lpString1="VzugFdG5q8.avi") returned="VzugFdG5q8.avi" [0082.057] wsprintfW (in: param_1=0x23bee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\VzugFdG5q8.avi") returned 81 [0082.057] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\VzugFdG5q8.avi", dwFileAttributes=0x20) returned 1 [0082.057] StrStrW (lpFirst="VzugFdG5q8.avi", lpSrch=".Clop") returned 0x0 [0082.057] wsprintfW (in: param_1=0x23bf60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\VzugFdG5q8.avi.Clop") returned 86 [0082.058] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\VzugFdG5q8.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\emfsg8fvo9kfhe4jvd\\vzugfdg5q8.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0082.058] ReadFile (in: hFile=0x1cc, lpBuffer=0x26dfe8, nNumberOfBytesToRead=0xac43, lpNumberOfBytesRead=0x23be1d8, lpOverlapped=0x0 | out: lpBuffer=0x26dfe8*, lpNumberOfBytesRead=0x23be1d8*=0xac43, lpOverlapped=0x0) returned 1 [0082.059] CloseHandle (hObject=0x1cc) returned 1 [0082.059] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x3c0000 [0082.059] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x3d0000 [0082.059] SetErrorMode (uMode=0x1) returned 0x1 [0082.059] CryptAcquireContextW (in: phProv=0x23be1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x23be1b0*=0x24ca10) returned 1 [0082.062] CryptGenKey (in: hProv=0x24ca10, Algid=0x1, dwFlags=0x4000, phKey=0x23be1b4 | out: phKey=0x23be1b4*=0x242b78) returned 1 [0082.112] CryptExportKey (in: hKey=0x242b78, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x23be1d4 | out: pbData=0x0*, pdwDataLen=0x23be1d4*=0x94) returned 1 [0082.112] CryptExportKey (in: hKey=0x242b78, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x3d0000, pdwDataLen=0x23be1d4 | out: pbData=0x3d0000*, pdwDataLen=0x23be1d4*=0x94) returned 1 [0082.112] CryptDestroyKey (hKey=0x242b78) returned 1 [0082.112] CryptReleaseContext (hProv=0x24ca10, dwFlags=0x0) returned 1 [0082.112] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\VzugFdG5q8.avi.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\emfsg8fvo9kfhe4jvd\\vzugfdg5q8.avi.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0082.113] WriteFile (in: hFile=0x1cc, lpBuffer=0x26dfe8*, nNumberOfBytesToWrite=0xac43, lpNumberOfBytesWritten=0x23be1e8, lpOverlapped=0x0 | out: lpBuffer=0x26dfe8*, lpNumberOfBytesWritten=0x23be1e8*=0xac43, lpOverlapped=0x0) returned 1 [0082.114] SetFilePointer (in: hFile=0x1cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xac43 [0082.114] WriteFile (in: hFile=0x1cc, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x23be1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x23be1e8*=0x7, lpOverlapped=0x0) returned 1 [0082.114] SetFilePointer (in: hFile=0x1cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xac4a [0082.114] SetErrorMode (uMode=0x1) returned 0x1 [0082.114] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0082.114] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x23bd1b0, pcbBinary=0x23bd1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x23bd1b0, pcbBinary=0x23bd1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0082.114] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x23bd1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x23bd198, pcbStructInfo=0x23bd190 | out: pvStructInfo=0x23bd198, pcbStructInfo=0x23bd190) returned 1 [0082.114] CryptAcquireContextW (in: phProv=0x23bd1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x23bd1a0*=0x24c900) returned 1 [0082.114] CryptImportPublicKeyInfoEx (in: hCryptProv=0x24c900, dwCertEncodingType=0x1, pInfo=0x24a028, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x23bd1a8 | out: phKey=0x23bd1a8*=0x243078) returned 1 [0082.115] CryptEncrypt (in: hKey=0x243078, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x23bd1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x23bd1ac*=0x80) returned 1 [0082.115] CryptEncrypt (in: hKey=0x243078, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x24c190*, pdwDataLen=0x23bd19c*=0x75, dwBufLen=0x80 | out: pbData=0x24c190*, pdwDataLen=0x23bd19c*=0x80) returned 1 [0082.115] WriteFile (in: hFile=0x1cc, lpBuffer=0x24c190*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x23be1e8, lpOverlapped=0x0 | out: lpBuffer=0x24c190*, lpNumberOfBytesWritten=0x23be1e8*=0x80, lpOverlapped=0x0) returned 1 [0082.115] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0082.115] VirtualFree (lpAddress=0x3c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.115] VirtualFree (lpAddress=0x3d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.116] CloseHandle (hObject=0x1cc) returned 1 [0082.117] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\EmFSG8fVo9kfhE4JVd\\VzugFdG5q8.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\emfsg8fvo9kfhe4jvd\\vzugfdg5q8.avi")) returned 1 Thread: id = 45 os_tid = 0xa84 [0082.127] lstrcpyA (in: lpString1=0x23bfe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0082.127] lstrcpyW (in: lpString1=0x23bfa1c, lpString2="wHBG1 KhJkOY8rUr-B.jpg" | out: lpString1="wHBG1 KhJkOY8rUr-B.jpg") returned="wHBG1 KhJkOY8rUr-B.jpg" [0082.127] lstrcpyW (in: lpString1=0x23bea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\" [0082.127] SetErrorMode (uMode=0x1) returned 0x1 [0082.127] lstrcpyW (in: lpString1=0x23be1ec, lpString2="wHBG1 KhJkOY8rUr-B.jpg" | out: lpString1="wHBG1 KhJkOY8rUr-B.jpg") returned="wHBG1 KhJkOY8rUr-B.jpg" [0082.127] wsprintfW (in: param_1=0x23bee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\wHBG1 KhJkOY8rUr-B.jpg") returned 89 [0082.127] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\wHBG1 KhJkOY8rUr-B.jpg", dwFileAttributes=0x20) returned 1 [0082.127] StrStrW (lpFirst="wHBG1 KhJkOY8rUr-B.jpg", lpSrch=".Clop") returned 0x0 [0082.127] wsprintfW (in: param_1=0x23bf60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\wHBG1 KhJkOY8rUr-B.jpg.Clop") returned 94 [0082.127] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\wHBG1 KhJkOY8rUr-B.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\wxmwhjbln-gpgybdik\\whbg1 khjkoy8rur-b.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x330 [0082.128] ReadFile (in: hFile=0x330, lpBuffer=0x27bc48, nNumberOfBytesToRead=0x1c21, lpNumberOfBytesRead=0x23be1d8, lpOverlapped=0x0 | out: lpBuffer=0x27bc48*, lpNumberOfBytesRead=0x23be1d8*=0x1c21, lpOverlapped=0x0) returned 1 [0082.128] CloseHandle (hObject=0x330) returned 1 [0082.128] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x3c0000 [0082.129] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x3d0000 [0082.129] SetErrorMode (uMode=0x1) returned 0x1 [0082.129] CryptAcquireContextW (in: phProv=0x23be1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x23be1b0*=0x24c6e0) returned 1 [0082.131] CryptGenKey (in: hProv=0x24c6e0, Algid=0x1, dwFlags=0x4000, phKey=0x23be1b4 | out: phKey=0x23be1b4*=0x242bf8) returned 1 [0082.147] CryptExportKey (in: hKey=0x242bf8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x23be1d4 | out: pbData=0x0*, pdwDataLen=0x23be1d4*=0x94) returned 1 [0082.147] CryptExportKey (in: hKey=0x242bf8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x3d0000, pdwDataLen=0x23be1d4 | out: pbData=0x3d0000*, pdwDataLen=0x23be1d4*=0x94) returned 1 [0082.147] CryptDestroyKey (hKey=0x242bf8) returned 1 [0082.147] CryptReleaseContext (hProv=0x24c6e0, dwFlags=0x0) returned 1 [0082.147] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\wHBG1 KhJkOY8rUr-B.jpg.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\wxmwhjbln-gpgybdik\\whbg1 khjkoy8rur-b.jpg.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x330 [0082.149] WriteFile (in: hFile=0x330, lpBuffer=0x27bc48*, nNumberOfBytesToWrite=0x1c21, lpNumberOfBytesWritten=0x23be1e8, lpOverlapped=0x0 | out: lpBuffer=0x27bc48*, lpNumberOfBytesWritten=0x23be1e8*=0x1c21, lpOverlapped=0x0) returned 1 [0082.150] SetFilePointer (in: hFile=0x330, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x1c21 [0082.150] WriteFile (in: hFile=0x330, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x23be1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x23be1e8*=0x7, lpOverlapped=0x0) returned 1 [0082.150] SetFilePointer (in: hFile=0x330, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x1c28 [0082.150] SetErrorMode (uMode=0x1) returned 0x1 [0082.150] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0082.150] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x23bd1b0, pcbBinary=0x23bd1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x23bd1b0, pcbBinary=0x23bd1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0082.150] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x23bd1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x23bd198, pcbStructInfo=0x23bd190 | out: pvStructInfo=0x23bd198, pcbStructInfo=0x23bd190) returned 1 [0082.150] CryptAcquireContextW (in: phProv=0x23bd1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x23bd1a0*=0x24c2a0) returned 1 [0082.151] CryptImportPublicKeyInfoEx (in: hCryptProv=0x24c2a0, dwCertEncodingType=0x1, pInfo=0x249db8, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x23bd1a8 | out: phKey=0x23bd1a8*=0x2430b8) returned 1 [0082.151] CryptEncrypt (in: hKey=0x2430b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x23bd1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x23bd1ac*=0x80) returned 1 [0082.151] CryptEncrypt (in: hKey=0x2430b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x24c5d0*, pdwDataLen=0x23bd19c*=0x75, dwBufLen=0x80 | out: pbData=0x24c5d0*, pdwDataLen=0x23bd19c*=0x80) returned 1 [0082.151] WriteFile (in: hFile=0x330, lpBuffer=0x24c5d0*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x23be1e8, lpOverlapped=0x0 | out: lpBuffer=0x24c5d0*, lpNumberOfBytesWritten=0x23be1e8*=0x80, lpOverlapped=0x0) returned 1 [0082.151] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0082.151] VirtualFree (lpAddress=0x3c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.151] VirtualFree (lpAddress=0x3d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.151] CloseHandle (hObject=0x330) returned 1 [0082.153] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\wHBG1 KhJkOY8rUr-B.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\wxmwhjbln-gpgybdik\\whbg1 khjkoy8rur-b.jpg")) returned 1 Thread: id = 46 os_tid = 0x2bc [0082.160] lstrcpyA (in: lpString1=0x23bfe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0082.160] lstrcpyW (in: lpString1=0x23bfa1c, lpString2="1GuphSZyRIMnQ5w0EQ.avi" | out: lpString1="1GuphSZyRIMnQ5w0EQ.avi") returned="1GuphSZyRIMnQ5w0EQ.avi" [0082.160] lstrcpyW (in: lpString1=0x23bea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\" [0082.160] SetErrorMode (uMode=0x1) returned 0x1 [0082.160] lstrcpyW (in: lpString1=0x23be1ec, lpString2="1GuphSZyRIMnQ5w0EQ.avi" | out: lpString1="1GuphSZyRIMnQ5w0EQ.avi") returned="1GuphSZyRIMnQ5w0EQ.avi" [0082.160] wsprintfW (in: param_1=0x23bee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\1GuphSZyRIMnQ5w0EQ.avi") returned 98 [0082.160] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\1GuphSZyRIMnQ5w0EQ.avi", dwFileAttributes=0x20) returned 1 [0082.160] StrStrW (lpFirst="1GuphSZyRIMnQ5w0EQ.avi", lpSrch=".Clop") returned 0x0 [0082.160] wsprintfW (in: param_1=0x23bf60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\1GuphSZyRIMnQ5w0EQ.avi.Clop") returned 103 [0082.160] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\1GuphSZyRIMnQ5w0EQ.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\wxmwhjbln-gpgybdik\\5-vs 8b3\\1guphszyrimnq5w0eq.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x330 [0082.161] ReadFile (in: hFile=0x330, lpBuffer=0x27e880, nNumberOfBytesToRead=0x3073, lpNumberOfBytesRead=0x23be1d8, lpOverlapped=0x0 | out: lpBuffer=0x27e880*, lpNumberOfBytesRead=0x23be1d8*=0x3073, lpOverlapped=0x0) returned 1 [0082.161] CloseHandle (hObject=0x330) returned 1 [0082.161] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x3c0000 [0082.162] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x3d0000 [0082.162] SetErrorMode (uMode=0x1) returned 0x1 [0082.162] CryptAcquireContextW (in: phProv=0x23be1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x23be1b0*=0x24c6e0) returned 1 [0082.164] CryptGenKey (in: hProv=0x24c6e0, Algid=0x1, dwFlags=0x4000, phKey=0x23be1b4 | out: phKey=0x23be1b4*=0x2431b8) returned 1 [0082.193] CryptExportKey (in: hKey=0x2431b8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x23be1d4 | out: pbData=0x0*, pdwDataLen=0x23be1d4*=0x94) returned 1 [0082.194] CryptExportKey (in: hKey=0x2431b8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x3d0000, pdwDataLen=0x23be1d4 | out: pbData=0x3d0000*, pdwDataLen=0x23be1d4*=0x94) returned 1 [0082.194] CryptDestroyKey (hKey=0x2431b8) returned 1 [0082.194] CryptReleaseContext (hProv=0x24c6e0, dwFlags=0x0) returned 1 [0082.194] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\1GuphSZyRIMnQ5w0EQ.avi.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\wxmwhjbln-gpgybdik\\5-vs 8b3\\1guphszyrimnq5w0eq.avi.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x330 [0082.195] WriteFile (in: hFile=0x330, lpBuffer=0x27e880*, nNumberOfBytesToWrite=0x3073, lpNumberOfBytesWritten=0x23be1e8, lpOverlapped=0x0 | out: lpBuffer=0x27e880*, lpNumberOfBytesWritten=0x23be1e8*=0x3073, lpOverlapped=0x0) returned 1 [0082.196] SetFilePointer (in: hFile=0x330, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x3073 [0082.196] WriteFile (in: hFile=0x330, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x23be1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x23be1e8*=0x7, lpOverlapped=0x0) returned 1 [0082.197] SetFilePointer (in: hFile=0x330, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x307a [0082.197] SetErrorMode (uMode=0x1) returned 0x1 [0082.197] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0082.197] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x23bd1b0, pcbBinary=0x23bd1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x23bd1b0, pcbBinary=0x23bd1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0082.197] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x23bd1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x23bd198, pcbStructInfo=0x23bd190 | out: pvStructInfo=0x23bd198, pcbStructInfo=0x23bd190) returned 1 [0082.197] CryptAcquireContextW (in: phProv=0x23bd1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x23bd1a0*=0x24c988) returned 1 [0082.197] CryptImportPublicKeyInfoEx (in: hCryptProv=0x24c988, dwCertEncodingType=0x1, pInfo=0x249e88, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x23bd1a8 | out: phKey=0x23bd1a8*=0x2431b8) returned 1 [0082.197] CryptEncrypt (in: hKey=0x2431b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x23bd1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x23bd1ac*=0x80) returned 1 [0082.197] CryptEncrypt (in: hKey=0x2431b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x24ca10*, pdwDataLen=0x23bd19c*=0x75, dwBufLen=0x80 | out: pbData=0x24ca10*, pdwDataLen=0x23bd19c*=0x80) returned 1 [0082.197] WriteFile (in: hFile=0x330, lpBuffer=0x24ca10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x23be1e8, lpOverlapped=0x0 | out: lpBuffer=0x24ca10*, lpNumberOfBytesWritten=0x23be1e8*=0x80, lpOverlapped=0x0) returned 1 [0082.198] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0082.198] VirtualFree (lpAddress=0x3c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.198] VirtualFree (lpAddress=0x3d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.198] CloseHandle (hObject=0x330) returned 1 [0082.264] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\1GuphSZyRIMnQ5w0EQ.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\wxmwhjbln-gpgybdik\\5-vs 8b3\\1guphszyrimnq5w0eq.avi")) returned 1 Thread: id = 47 os_tid = 0xb24 [0082.267] lstrcpyA (in: lpString1=0x23bfe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0082.267] lstrcpyW (in: lpString1=0x23bfa1c, lpString2="H4KR8e.gif" | out: lpString1="H4KR8e.gif") returned="H4KR8e.gif" [0082.267] lstrcpyW (in: lpString1=0x23bea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\" [0082.267] SetErrorMode (uMode=0x1) returned 0x1 [0082.267] lstrcpyW (in: lpString1=0x23be1ec, lpString2="H4KR8e.gif" | out: lpString1="H4KR8e.gif") returned="H4KR8e.gif" [0082.267] wsprintfW (in: param_1=0x23bee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\H4KR8e.gif") returned 86 [0082.267] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\H4KR8e.gif", dwFileAttributes=0x20) returned 1 [0082.268] StrStrW (lpFirst="H4KR8e.gif", lpSrch=".Clop") returned 0x0 [0082.268] wsprintfW (in: param_1=0x23bf60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\H4KR8e.gif.Clop") returned 91 [0082.268] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\H4KR8e.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\wxmwhjbln-gpgybdik\\5-vs 8b3\\h4kr8e.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x340 [0082.268] ReadFile (in: hFile=0x340, lpBuffer=0x2ab748, nNumberOfBytesToRead=0x18b95, lpNumberOfBytesRead=0x23be1d8, lpOverlapped=0x0 | out: lpBuffer=0x2ab748*, lpNumberOfBytesRead=0x23be1d8*=0x18b95, lpOverlapped=0x0) returned 1 [0082.269] CloseHandle (hObject=0x340) returned 1 [0082.269] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x3c0000 [0082.269] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x3d0000 [0082.269] SetErrorMode (uMode=0x1) returned 0x1 [0082.269] CryptAcquireContextW (in: phProv=0x23be1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x23be1b0*=0x24c328) returned 1 [0082.272] CryptGenKey (in: hProv=0x24c328, Algid=0x1, dwFlags=0x4000, phKey=0x23be1b4 | out: phKey=0x23be1b4*=0x243238) returned 1 [0082.285] CryptExportKey (in: hKey=0x243238, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x23be1d4 | out: pbData=0x0*, pdwDataLen=0x23be1d4*=0x94) returned 1 [0082.285] CryptExportKey (in: hKey=0x243238, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x3d0000, pdwDataLen=0x23be1d4 | out: pbData=0x3d0000*, pdwDataLen=0x23be1d4*=0x94) returned 1 [0082.285] CryptDestroyKey (hKey=0x243238) returned 1 [0082.285] CryptReleaseContext (hProv=0x24c328, dwFlags=0x0) returned 1 [0082.285] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\H4KR8e.gif.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\wxmwhjbln-gpgybdik\\5-vs 8b3\\h4kr8e.gif.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x340 [0082.286] WriteFile (in: hFile=0x340, lpBuffer=0x2ab748*, nNumberOfBytesToWrite=0x18b95, lpNumberOfBytesWritten=0x23be1e8, lpOverlapped=0x0 | out: lpBuffer=0x2ab748*, lpNumberOfBytesWritten=0x23be1e8*=0x18b95, lpOverlapped=0x0) returned 1 [0082.287] SetFilePointer (in: hFile=0x340, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x18b95 [0082.287] WriteFile (in: hFile=0x340, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x23be1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x23be1e8*=0x7, lpOverlapped=0x0) returned 1 [0082.287] SetFilePointer (in: hFile=0x340, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x18b9c [0082.287] SetErrorMode (uMode=0x1) returned 0x1 [0082.287] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0082.288] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x23bd1b0, pcbBinary=0x23bd1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x23bd1b0, pcbBinary=0x23bd1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0082.288] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x23bd1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x23bd198, pcbStructInfo=0x23bd190 | out: pvStructInfo=0x23bd198, pcbStructInfo=0x23bd190) returned 1 [0082.288] CryptAcquireContextW (in: phProv=0x23bd1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x23bd1a0*=0x24c328) returned 1 [0082.288] CryptImportPublicKeyInfoEx (in: hCryptProv=0x24c328, dwCertEncodingType=0x1, pInfo=0x24a1c8, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x23bd1a8 | out: phKey=0x23bd1a8*=0x243338) returned 1 [0082.288] CryptEncrypt (in: hKey=0x243338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x23bd1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x23bd1ac*=0x80) returned 1 [0082.288] CryptEncrypt (in: hKey=0x243338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x24c658*, pdwDataLen=0x23bd19c*=0x75, dwBufLen=0x80 | out: pbData=0x24c658*, pdwDataLen=0x23bd19c*=0x80) returned 1 [0082.288] WriteFile (in: hFile=0x340, lpBuffer=0x24c658*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x23be1e8, lpOverlapped=0x0 | out: lpBuffer=0x24c658*, lpNumberOfBytesWritten=0x23be1e8*=0x80, lpOverlapped=0x0) returned 1 [0082.288] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0082.289] VirtualFree (lpAddress=0x3c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.289] VirtualFree (lpAddress=0x3d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.289] CloseHandle (hObject=0x340) returned 1 [0082.291] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\H4KR8e.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\wxmwhjbln-gpgybdik\\5-vs 8b3\\h4kr8e.gif")) returned 1 Thread: id = 48 os_tid = 0x2f4 [0082.295] lstrcpyA (in: lpString1=0x23bfe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0082.295] lstrcpyW (in: lpString1=0x23bfa1c, lpString2="xMyQQvGf.doc" | out: lpString1="xMyQQvGf.doc") returned="xMyQQvGf.doc" [0082.295] lstrcpyW (in: lpString1=0x23bea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\" [0082.295] SetErrorMode (uMode=0x1) returned 0x1 [0082.295] lstrcpyW (in: lpString1=0x23be1ec, lpString2="xMyQQvGf.doc" | out: lpString1="xMyQQvGf.doc") returned="xMyQQvGf.doc" [0082.295] wsprintfW (in: param_1=0x23bee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\xMyQQvGf.doc") returned 88 [0082.295] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\xMyQQvGf.doc", dwFileAttributes=0x20) returned 1 [0082.296] StrStrW (lpFirst="xMyQQvGf.doc", lpSrch=".Clop") returned 0x0 [0082.296] wsprintfW (in: param_1=0x23bf60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\xMyQQvGf.doc.Clop") returned 93 [0082.296] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\xMyQQvGf.doc" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\wxmwhjbln-gpgybdik\\5-vs 8b3\\xmyqqvgf.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x344 [0082.297] ReadFile (in: hFile=0x344, lpBuffer=0x2ab748, nNumberOfBytesToRead=0x1872b, lpNumberOfBytesRead=0x23be1d8, lpOverlapped=0x0 | out: lpBuffer=0x2ab748*, lpNumberOfBytesRead=0x23be1d8*=0x1872b, lpOverlapped=0x0) returned 1 [0082.297] CloseHandle (hObject=0x344) returned 1 [0082.298] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x3c0000 [0082.298] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x3d0000 [0082.298] SetErrorMode (uMode=0x1) returned 0x1 [0082.298] CryptAcquireContextW (in: phProv=0x23be1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x23be1b0*=0x24bff8) returned 1 [0082.300] CryptGenKey (in: hProv=0x24bff8, Algid=0x1, dwFlags=0x4000, phKey=0x23be1b4 | out: phKey=0x23be1b4*=0x243238) returned 1 [0082.594] CryptExportKey (in: hKey=0x243238, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x23be1d4 | out: pbData=0x0*, pdwDataLen=0x23be1d4*=0x94) returned 1 [0082.594] CryptExportKey (in: hKey=0x243238, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x3d0000, pdwDataLen=0x23be1d4 | out: pbData=0x3d0000*, pdwDataLen=0x23be1d4*=0x94) returned 1 [0082.594] CryptDestroyKey (hKey=0x243238) returned 1 [0082.594] CryptReleaseContext (hProv=0x24bff8, dwFlags=0x0) returned 1 [0082.595] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\xMyQQvGf.doc.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\wxmwhjbln-gpgybdik\\5-vs 8b3\\xmyqqvgf.doc.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x344 [0082.595] WriteFile (in: hFile=0x344, lpBuffer=0x2ab748*, nNumberOfBytesToWrite=0x1872b, lpNumberOfBytesWritten=0x23be1e8, lpOverlapped=0x0 | out: lpBuffer=0x2ab748*, lpNumberOfBytesWritten=0x23be1e8*=0x1872b, lpOverlapped=0x0) returned 1 [0082.597] SetFilePointer (in: hFile=0x344, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x1872b [0082.597] WriteFile (in: hFile=0x344, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x23be1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x23be1e8*=0x7, lpOverlapped=0x0) returned 1 [0082.597] SetFilePointer (in: hFile=0x344, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x18732 [0082.597] SetErrorMode (uMode=0x1) returned 0x1 [0082.597] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0082.597] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x23bd1b0, pcbBinary=0x23bd1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x23bd1b0, pcbBinary=0x23bd1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0082.597] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x23bd1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x23bd198, pcbStructInfo=0x23bd190 | out: pvStructInfo=0x23bd198, pcbStructInfo=0x23bd190) returned 1 [0082.597] CryptAcquireContextW (in: phProv=0x23bd1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x23bd1a0*=0x24c6e0) returned 1 [0082.598] CryptImportPublicKeyInfoEx (in: hCryptProv=0x24c6e0, dwCertEncodingType=0x1, pInfo=0x24a298, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x23bd1a8 | out: phKey=0x23bd1a8*=0x242bb8) returned 1 [0082.598] CryptEncrypt (in: hKey=0x242bb8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x23bd1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x23bd1ac*=0x80) returned 1 [0082.598] CryptEncrypt (in: hKey=0x242bb8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x24c768*, pdwDataLen=0x23bd19c*=0x75, dwBufLen=0x80 | out: pbData=0x24c768*, pdwDataLen=0x23bd19c*=0x80) returned 1 [0082.598] WriteFile (in: hFile=0x344, lpBuffer=0x24c768*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x23be1e8, lpOverlapped=0x0 | out: lpBuffer=0x24c768*, lpNumberOfBytesWritten=0x23be1e8*=0x80, lpOverlapped=0x0) returned 1 [0082.598] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0082.599] VirtualFree (lpAddress=0x3c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.599] VirtualFree (lpAddress=0x3d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.599] CloseHandle (hObject=0x344) returned 1 [0082.601] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\843Dy1Ix8Wm9w9PNS\\wXmwHJbln-GpgybDik\\5-VS 8B3\\xMyQQvGf.doc" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\843dy1ix8wm9w9pns\\wxmwhjbln-gpgybdik\\5-vs 8b3\\xmyqqvgf.doc")) returned 1 Thread: id = 49 os_tid = 0x61c [0082.725] lstrcpyA (in: lpString1=0x23bfe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0082.725] lstrcpyW (in: lpString1=0x23bfa1c, lpString2="cBP N0kdCH8mn.mp3" | out: lpString1="cBP N0kdCH8mn.mp3") returned="cBP N0kdCH8mn.mp3" [0082.725] lstrcpyW (in: lpString1=0x23bea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\" [0082.725] SetErrorMode (uMode=0x1) returned 0x1 [0082.725] lstrcpyW (in: lpString1=0x23be1ec, lpString2="cBP N0kdCH8mn.mp3" | out: lpString1="cBP N0kdCH8mn.mp3") returned="cBP N0kdCH8mn.mp3" [0082.725] wsprintfW (in: param_1=0x23bee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\cBP N0kdCH8mn.mp3") returned 61 [0082.725] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\cBP N0kdCH8mn.mp3", dwFileAttributes=0x20) returned 1 [0082.725] StrStrW (lpFirst="cBP N0kdCH8mn.mp3", lpSrch=".Clop") returned 0x0 [0082.725] wsprintfW (in: param_1=0x23bf60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\cBP N0kdCH8mn.mp3.Clop") returned 66 [0082.726] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\cBP N0kdCH8mn.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\rllu zue1iz8\\cbp n0kdch8mn.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0082.726] ReadFile (in: hFile=0x1cc, lpBuffer=0x26dfe8, nNumberOfBytesToRead=0x586e, lpNumberOfBytesRead=0x23be1d8, lpOverlapped=0x0 | out: lpBuffer=0x26dfe8*, lpNumberOfBytesRead=0x23be1d8*=0x586e, lpOverlapped=0x0) returned 1 [0082.727] CloseHandle (hObject=0x1cc) returned 1 [0082.727] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x3c0000 [0082.727] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x3d0000 [0082.727] SetErrorMode (uMode=0x1) returned 0x1 [0082.727] CryptAcquireContextW (in: phProv=0x23be1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x23be1b0*=0x24c7f0) returned 1 [0082.730] CryptGenKey (in: hProv=0x24c7f0, Algid=0x1, dwFlags=0x4000, phKey=0x23be1b4 | out: phKey=0x23be1b4*=0x243978) returned 1 [0082.852] CryptExportKey (in: hKey=0x243978, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x23be1d4 | out: pbData=0x0*, pdwDataLen=0x23be1d4*=0x94) returned 1 [0082.853] CryptExportKey (in: hKey=0x243978, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x3d0000, pdwDataLen=0x23be1d4 | out: pbData=0x3d0000*, pdwDataLen=0x23be1d4*=0x94) returned 1 [0082.853] CryptDestroyKey (hKey=0x243978) returned 1 [0082.853] CryptReleaseContext (hProv=0x24c7f0, dwFlags=0x0) returned 1 [0082.853] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\cBP N0kdCH8mn.mp3.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\rllu zue1iz8\\cbp n0kdch8mn.mp3.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0082.853] WriteFile (in: hFile=0x1cc, lpBuffer=0x26dfe8*, nNumberOfBytesToWrite=0x586e, lpNumberOfBytesWritten=0x23be1e8, lpOverlapped=0x0 | out: lpBuffer=0x26dfe8*, lpNumberOfBytesWritten=0x23be1e8*=0x586e, lpOverlapped=0x0) returned 1 [0082.854] SetFilePointer (in: hFile=0x1cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x586e [0082.854] WriteFile (in: hFile=0x1cc, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x23be1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x23be1e8*=0x7, lpOverlapped=0x0) returned 1 [0082.854] SetFilePointer (in: hFile=0x1cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x5875 [0082.854] SetErrorMode (uMode=0x1) returned 0x1 [0082.854] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0082.854] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x23bd1b0, pcbBinary=0x23bd1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x23bd1b0, pcbBinary=0x23bd1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0082.854] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x23bd1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x23bd198, pcbStructInfo=0x23bd190 | out: pvStructInfo=0x23bd198, pcbStructInfo=0x23bd190) returned 1 [0082.854] CryptAcquireContextW (in: phProv=0x23bd1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x23bd1a0*=0x24ca98) returned 1 [0082.855] CryptImportPublicKeyInfoEx (in: hCryptProv=0x24ca98, dwCertEncodingType=0x1, pInfo=0x24a0f8, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x23bd1a8 | out: phKey=0x23bd1a8*=0x243138) returned 1 [0082.855] CryptEncrypt (in: hKey=0x243138, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x23bd1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x23bd1ac*=0x80) returned 1 [0082.855] CryptEncrypt (in: hKey=0x243138, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x24bd50*, pdwDataLen=0x23bd19c*=0x75, dwBufLen=0x80 | out: pbData=0x24bd50*, pdwDataLen=0x23bd19c*=0x80) returned 1 [0082.855] WriteFile (in: hFile=0x1cc, lpBuffer=0x24bd50*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x23be1e8, lpOverlapped=0x0 | out: lpBuffer=0x24bd50*, lpNumberOfBytesWritten=0x23be1e8*=0x80, lpOverlapped=0x0) returned 1 [0082.855] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0082.855] VirtualFree (lpAddress=0x3c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.855] VirtualFree (lpAddress=0x3d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.855] CloseHandle (hObject=0x1cc) returned 1 [0082.856] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\cBP N0kdCH8mn.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\rllu zue1iz8\\cbp n0kdch8mn.mp3")) returned 1 Thread: id = 50 os_tid = 0x1a4 [0082.987] lstrcpyA (in: lpString1=0x23bfe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0082.987] lstrcpyW (in: lpString1=0x23bfa1c, lpString2="vIuuzBVEyKDY.mkv" | out: lpString1="vIuuzBVEyKDY.mkv") returned="vIuuzBVEyKDY.mkv" [0082.987] lstrcpyW (in: lpString1=0x23bea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\" [0082.987] SetErrorMode (uMode=0x1) returned 0x1 [0082.987] lstrcpyW (in: lpString1=0x23be1ec, lpString2="vIuuzBVEyKDY.mkv" | out: lpString1="vIuuzBVEyKDY.mkv") returned="vIuuzBVEyKDY.mkv" [0082.987] wsprintfW (in: param_1=0x23bee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\vIuuzBVEyKDY.mkv") returned 60 [0082.987] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\vIuuzBVEyKDY.mkv", dwFileAttributes=0x20) returned 1 [0082.988] StrStrW (lpFirst="vIuuzBVEyKDY.mkv", lpSrch=".Clop") returned 0x0 [0082.988] wsprintfW (in: param_1=0x23bf60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\vIuuzBVEyKDY.mkv.Clop") returned 65 [0082.988] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\vIuuzBVEyKDY.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\rllu zue1iz8\\viuuzbveykdy.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x348 [0082.988] ReadFile (in: hFile=0x348, lpBuffer=0x26dfe8, nNumberOfBytesToRead=0xa759, lpNumberOfBytesRead=0x23be1d8, lpOverlapped=0x0 | out: lpBuffer=0x26dfe8*, lpNumberOfBytesRead=0x23be1d8*=0xa759, lpOverlapped=0x0) returned 1 [0082.989] CloseHandle (hObject=0x348) returned 1 [0082.989] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x3c0000 [0082.989] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x3d0000 [0082.989] SetErrorMode (uMode=0x1) returned 0x1 [0082.989] CryptAcquireContextW (in: phProv=0x23be1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x23be1b0*=0x24bcc8) returned 1 [0082.993] CryptGenKey (in: hProv=0x24bcc8, Algid=0x1, dwFlags=0x4000, phKey=0x23be1b4 | out: phKey=0x23be1b4*=0x243238) returned 1 [0083.032] CryptExportKey (in: hKey=0x243238, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x23be1d4 | out: pbData=0x0*, pdwDataLen=0x23be1d4*=0x94) returned 1 [0083.032] CryptExportKey (in: hKey=0x243238, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x3d0000, pdwDataLen=0x23be1d4 | out: pbData=0x3d0000*, pdwDataLen=0x23be1d4*=0x94) returned 1 [0083.032] CryptDestroyKey (hKey=0x243238) returned 1 [0083.032] CryptReleaseContext (hProv=0x24bcc8, dwFlags=0x0) returned 1 [0083.032] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\vIuuzBVEyKDY.mkv.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\rllu zue1iz8\\viuuzbveykdy.mkv.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x348 [0083.033] WriteFile (in: hFile=0x348, lpBuffer=0x26dfe8*, nNumberOfBytesToWrite=0xa759, lpNumberOfBytesWritten=0x23be1e8, lpOverlapped=0x0 | out: lpBuffer=0x26dfe8*, lpNumberOfBytesWritten=0x23be1e8*=0xa759, lpOverlapped=0x0) returned 1 [0083.034] SetFilePointer (in: hFile=0x348, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xa759 [0083.034] WriteFile (in: hFile=0x348, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x23be1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x23be1e8*=0x7, lpOverlapped=0x0) returned 1 [0083.034] SetFilePointer (in: hFile=0x348, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xa760 [0083.034] SetErrorMode (uMode=0x1) returned 0x1 [0083.034] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0083.034] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x23bd1b0, pcbBinary=0x23bd1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x23bd1b0, pcbBinary=0x23bd1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0083.034] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x23bd1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x23bd198, pcbStructInfo=0x23bd190 | out: pvStructInfo=0x23bd198, pcbStructInfo=0x23bd190) returned 1 [0083.034] CryptAcquireContextW (in: phProv=0x23bd1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x23bd1a0*=0x24bcc8) returned 1 [0083.035] CryptImportPublicKeyInfoEx (in: hCryptProv=0x24bcc8, dwCertEncodingType=0x1, pInfo=0x249f58, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x23bd1a8 | out: phKey=0x23bd1a8*=0x243238) returned 1 [0083.035] CryptEncrypt (in: hKey=0x243238, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x23bd1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x23bd1ac*=0x80) returned 1 [0083.035] CryptEncrypt (in: hKey=0x243238, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x24c108*, pdwDataLen=0x23bd19c*=0x75, dwBufLen=0x80 | out: pbData=0x24c108*, pdwDataLen=0x23bd19c*=0x80) returned 1 [0083.035] WriteFile (in: hFile=0x348, lpBuffer=0x24c108*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x23be1e8, lpOverlapped=0x0 | out: lpBuffer=0x24c108*, lpNumberOfBytesWritten=0x23be1e8*=0x80, lpOverlapped=0x0) returned 1 [0083.035] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0083.035] VirtualFree (lpAddress=0x3c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.036] VirtualFree (lpAddress=0x3d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.036] CloseHandle (hObject=0x348) returned 1 [0083.053] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\vIuuzBVEyKDY.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\rllu zue1iz8\\viuuzbveykdy.mkv")) returned 1 Thread: id = 51 os_tid = 0x838 [0083.067] lstrcpyA (in: lpString1=0x23bfe1c, lpString2="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" | out: lpString1="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----" [0083.067] lstrcpyW (in: lpString1=0x23bfa1c, lpString2="YxwGk89V20MALzff.bmp" | out: lpString1="YxwGk89V20MALzff.bmp") returned="YxwGk89V20MALzff.bmp" [0083.067] lstrcpyW (in: lpString1=0x23bea0c, lpString2="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\" [0083.067] SetErrorMode (uMode=0x1) returned 0x1 [0083.067] lstrcpyW (in: lpString1=0x23be1ec, lpString2="YxwGk89V20MALzff.bmp" | out: lpString1="YxwGk89V20MALzff.bmp") returned="YxwGk89V20MALzff.bmp" [0083.067] wsprintfW (in: param_1=0x23bee0c, param_2="%s%s" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\YxwGk89V20MALzff.bmp") returned 64 [0083.067] SetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\YxwGk89V20MALzff.bmp", dwFileAttributes=0x20) returned 1 [0083.068] StrStrW (lpFirst="YxwGk89V20MALzff.bmp", lpSrch=".Clop") returned 0x0 [0083.068] wsprintfW (in: param_1=0x23bf60c, param_2="%s%s.Clop" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\YxwGk89V20MALzff.bmp.Clop") returned 69 [0083.068] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\YxwGk89V20MALzff.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\rllu zue1iz8\\yxwgk89v20malzff.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x344 [0083.071] ReadFile (in: hFile=0x344, lpBuffer=0x26dfe8, nNumberOfBytesToRead=0x5a8e, lpNumberOfBytesRead=0x23be1d8, lpOverlapped=0x0 | out: lpBuffer=0x26dfe8*, lpNumberOfBytesRead=0x23be1d8*=0x5a8e, lpOverlapped=0x0) returned 1 [0083.071] CloseHandle (hObject=0x344) returned 1 [0083.071] VirtualAlloc (lpAddress=0x0, dwSize=0x75, flAllocationType=0x3000, flProtect=0x4) returned 0x3c0000 [0083.071] VirtualAlloc (lpAddress=0x0, dwSize=0x12c, flAllocationType=0x3000, flProtect=0x4) returned 0x3d0000 [0083.072] SetErrorMode (uMode=0x1) returned 0x1 [0083.072] CryptAcquireContextW (in: phProv=0x23be1b0, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0x0 | out: phProv=0x23be1b0*=0x24c7f0) returned 1 [0083.074] CryptGenKey (in: hProv=0x24c7f0, Algid=0x1, dwFlags=0x4000, phKey=0x23be1b4 | out: phKey=0x23be1b4*=0x2271a8) returned 1 [0083.110] CryptExportKey (in: hKey=0x2271a8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x0, pdwDataLen=0x23be1d4 | out: pbData=0x0*, pdwDataLen=0x23be1d4*=0x94) returned 1 [0083.110] CryptExportKey (in: hKey=0x2271a8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x3d0000, pdwDataLen=0x23be1d4 | out: pbData=0x3d0000*, pdwDataLen=0x23be1d4*=0x94) returned 1 [0083.110] CryptDestroyKey (hKey=0x2271a8) returned 1 [0083.110] CryptReleaseContext (hProv=0x24c7f0, dwFlags=0x0) returned 1 [0083.110] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\YxwGk89V20MALzff.bmp.Clop" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\rllu zue1iz8\\yxwgk89v20malzff.bmp.clop"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x344 [0083.111] WriteFile (in: hFile=0x344, lpBuffer=0x26dfe8*, nNumberOfBytesToWrite=0x5a8e, lpNumberOfBytesWritten=0x23be1e8, lpOverlapped=0x0 | out: lpBuffer=0x26dfe8*, lpNumberOfBytesWritten=0x23be1e8*=0x5a8e, lpOverlapped=0x0) returned 1 [0083.112] SetFilePointer (in: hFile=0x344, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x5a8e [0083.112] WriteFile (in: hFile=0x344, lpBuffer=0x4157c0*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x23be1e8, lpOverlapped=0x0 | out: lpBuffer=0x4157c0*, lpNumberOfBytesWritten=0x23be1e8*=0x7, lpOverlapped=0x0) returned 1 [0083.112] SetFilePointer (in: hFile=0x344, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x5a95 [0083.112] SetErrorMode (uMode=0x1) returned 0x1 [0083.112] lstrlenA (lpString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----") returned 271 [0083.112] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x23bd1b0, pcbBinary=0x23bd1a4, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x23bd1b0, pcbBinary=0x23bd1a4, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0083.112] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x23bd1b0, cbEncoded=0xa2, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x23bd198, pcbStructInfo=0x23bd190 | out: pvStructInfo=0x23bd198, pcbStructInfo=0x23bd190) returned 1 [0083.112] CryptAcquireContextW (in: phProv=0x23bd1a0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x23bd1a0*=0x24c7f0) returned 1 [0083.112] CryptImportPublicKeyInfoEx (in: hCryptProv=0x24c7f0, dwCertEncodingType=0x1, pInfo=0x280008, aiKeyAlg=0x0, dwFlags=0x0, pvAuxInfo=0x0, phKey=0x23bd1a8 | out: phKey=0x23bd1a8*=0x243278) returned 1 [0083.112] CryptEncrypt (in: hKey=0x243278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x23bd1ac*=0x75, dwBufLen=0x75 | out: pbData=0x0*, pdwDataLen=0x23bd1ac*=0x80) returned 1 [0083.112] CryptEncrypt (in: hKey=0x243278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x24bdd8*, pdwDataLen=0x23bd19c*=0x75, dwBufLen=0x80 | out: pbData=0x24bdd8*, pdwDataLen=0x23bd19c*=0x80) returned 1 [0083.113] WriteFile (in: hFile=0x344, lpBuffer=0x24bdd8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x23be1e8, lpOverlapped=0x0 | out: lpBuffer=0x24bdd8*, lpNumberOfBytesWritten=0x23be1e8*=0x80, lpOverlapped=0x0) returned 1 [0083.113] SetFilePointer (in: hFile=0x74f66590, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xffffffff [0083.113] VirtualFree (lpAddress=0x3c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.113] VirtualFree (lpAddress=0x3d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.113] CloseHandle (hObject=0x344) returned 1 [0083.114] DeleteFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\RLLU ZUe1iZ8\\YxwGk89V20MALzff.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\rllu zue1iz8\\yxwgk89v20malzff.bmp")) returned 1 Thread: id = 52 os_tid = 0xad8 Thread: id = 53 os_tid = 0xc14